diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fa5b33 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +env \ No newline at end of file diff --git a/README.md b/README.md index 79a6867..e406f23 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ ansible-playbook -i host run.yaml --list-tags I wrote all roles based on ```Text CIS Ubuntu Linux 20.04 LTS Benchmark -v1.0.0 - 07-21-2020 +v1.1.0 - 07-21-2020 ``` @@ -483,6 +483,15 @@ TASK [CIS-Ubuntu-20.04-Ansible : 5.4.1.1 Ensure password expiration is 365 days ``` * Make sure you set the right user under defaults/main.yaml + +``` + +TASK [CIS-Ubuntu-20.04-Ansible : Creating users without admin access] *************************************************************************************************************** +fatal: [golden]: FAILED! => {"msg": "crypt.crypt not supported on Mac OS X/Darwin, install passlib python module"} +``` + +Install `pip install passlib` + _________________ diff --git a/_config.yml b/_config.yml new file mode 100644 index 0000000..f980e76 --- /dev/null +++ b/_config.yml @@ -0,0 +1 @@ +theme: jekyll-theme-slate diff --git a/defaults/main.yml b/defaults/main.yml index 3b35ca5..6e9d065 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,7 @@ disable_hfsplus: yes disable_udf: yes disable_fat: yes temp_dir_size: 1G +disable_squashfs: no #Disabling squashfs will prevent the use of snap ## 1.5.1 Ensure bootloader password is set (using grub): default is no set_bootloader_credentials: no ### Update the default bootloader user and password @@ -65,12 +66,13 @@ remove_AvahiServer: yes remove_CUPS: yes remove_DHCPServer: yes remove_LDAPserver: yes -remove_NFS: yes +remove_NFS: no remove_DNSServer: yes remove_FTPServer: yes remove_IMAPandPOP3server: yes remove_Samba: yes remove_HTTPProxyServer: yes +HTTPProxyServer: squid remove_SNMPServer: yes remove_rsyncservice: yes remove_NISServer: yes @@ -84,8 +86,9 @@ remove_RPC: yes # Section 3 Settings disable_wifi: no -IPv6_is_enabled: yes +IPv6_is_enabled: no enable_firewall: yes +UFWEnable: yes # Running both ufw and the services included in the iptables-persistent package may lead to conflict ## 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports firewall_list_of_ports_to_allow: - { rule: "allow", port: "8080", proto: "tcp" } @@ -118,11 +121,13 @@ allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0" ssh_MACs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" ## 5.2.14 Ensure only strong Key Exchange algorithms are used ssh_key_algorithms: "curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" +ssh_ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr ## 5.2.17 Ensure SSH access is limited allowed_users: ubuntu root #Put None or list of users space between each user allowed_groups: None deny_users: None deny_groups: None +max_auth_tries: 4 ## 5.2.21 Ensure SSH MaxStartups is configured ssh_max_startups: "10:30:100" ## 5.2.22 Ensure SSH MaxSessions is limited diff --git a/index.html b/index.html new file mode 100644 index 0000000..7c05706 --- /dev/null +++ b/index.html @@ -0,0 +1,500 @@ +## Welcome to GitHub Pages + +You can use the [editor on GitHub](https://github.com/alivx/CIS-Ubuntu-20.04-Ansible/edit/gh-pages/index.md) + + +Ansible CIS Ubuntu 20.04 LTS Hardening Version V1.1.0 [![Build Status](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible.svg?branch=master)](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible) +========= + +CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems +CIS benchmarks lock down your systems by removing: +1. non-secure programs. +2. disabling unused filesystems. +3. disabling unnecessary ports or services. +4. auditing privileged operations. +5. restricting administrative privileges. + + +CIS benchmark recommendations are adopted in virtual machines in public and private clouds. They are also used to secure on-premises deployments. For some industries, hardening a system against a publicly known standard is a criteria auditors look for. CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI-DSS and HIPPA compliance, such as banking, telecommunications and healthcare. +If you are attempting to obtain compliance against an industry-accepted security standard, like PCI DSS, APRA or ISO 27001, then you need to demonstrate that you have applied documented hardening standards against all systems within the scope of assessment. + + +The Ubuntu CIS benchmarks are organised into different profiles, namely **‘Level 1’** and **‘Level 2’** intended for server and workstation environments. + + +**A Level 1 profile** is intended to be a practical and prudent way to secure a system without too much performance impact. +* Disabling unneeded filesystems, +* Restricting user permissions to files and directories, +* Disabling unneeded services. +* Configuring network firewalls. + +**A Level 2 profile** is used where security is considered very important and it may have a negative impact on the performance of the system. + +* Creating separate partitions, +* Auditing privileged operations + +The Ubuntu CIS hardening tool allows you to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. +Exmaple: +```Bash +ansible-playbook -i inventory cis-ubuntu-20.yaml --tags="level_1_server" +``` +You can list all tags by running the below command: +```Bash +ansible-playbook -i host run.yaml --list-tags +``` + + +I wrote all roles based on +```Text +CIS Ubuntu Linux 20.04 LTS Benchmark +v1.1.0 - 07-21-2020 +``` + + +**Check Example dir** +_________________ + + +Requirements +------------ + +You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. + +You can download Free CIS Benchmark book from this URL +[Free Benchmark](https://learn.cisecurity.org/benchmarks) + + +To start working in this Role you just need to install Ansible. +[Installing Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) + + +_________________ + +Role Variables +-------------- + +You have to review all default configuration before running this playbook, There are many role variables defined in defaults/main.yml. + +* If you are considering applying this role to any servers, you should have a basic familiarity with the CIS Benchmark and an appreciation for the impact that it may have on a system. +* Read and change configurable default values. + +Examples of config that should be immediately considered for exclusion: + +**5.1.8 Ensure cron is restricted to authorized users** and **5.2.17 Ensure SSH access is limited**, which by default effectively limit access to the host (including via ssh). + +**For example:** + +* CIS-Ubuntu-20.04-Ansible/defaults/main.yml +```YAML + +#Section 5 +#5.1.8 Ensure cron is restricted to authorized users +allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0" +# 5.2.17 Ensure SSH access is limited +allowed_users: ali saleh baker root #Put None or list of users space between each user + +``` + +If you need you to change file templates, you can find it under `files/templates/*` + + +_________________ + +Dependencies +------------ + +* Ansible version > 2.9 + +_________________ + +Example Playbook +---------------- + +Below an example of a playbook + +```Yaml +--- +- hosts: host1 + become: yes + remote_user: root + gather_facts: no + roles: + - { role: "CIS-Ubuntu-20.04-Ansible",} +``` + +### Run all +If you want to run all tags use the below command: +```Bash +ansible-playbook -i [inventoryfile] [playbook].yaml +``` +### Run specfic section +```Bash +ansible-playbook -i host run.yaml -t section2 +``` +### Run multi sections +```Bash +ansible-playbook -i host run.yaml -t section2 -t 6.1.1 +``` +* Note: +When run an individual task be sure from the dependencies between tasks, for example, if you run tag **4.1.1.2 Ensure auditd service is enabled** before running **4.1.1.1 Ensure auditd is installed** you will get an error at the run time. + +* Points with ~~Tilda~~ not implemented yet, currently I'm working on it. +* make sure to select one time service, for me I use ntp, but you can use other service such as [`systemd-timesyncd`,`ntp`,`chrony`] under the settings `defaults/main.yaml` +> Testing +> 11/1/2020 Tested on AWS EC2 ubuntu 20.04 LTS [Pass] +> 11/1/2020 Tested on local Ubuntu 20.04 LTS server [Pass] + +* Before run make sure to update user list under `defaults/main.yaml` on `list_of_os_users` + `allowed_users` +* `Make` sure to set the right subnet under `defaults/main.yaml` on `allowd_hosts` + +_________________ + + +## Table of Roles: + + **1 Initial Setup** + - 1.1 Filesystem Configuration + - 1.1.1 Disable unused filesystems + - 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated) + - 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled - (Automated) + - 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) + - 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated) + - 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled - (Automated) + - 1.1.1.6 Ensure mounting of udf filesystems is disabled (Automated) + - 1.1.1.7 Ensure mounting of FAT filesystems is limited (Manual) + - 1.1.2 Ensure /tmp is configured (Automated) + - 1.1.3 Ensure nodev option set on /tmp partition (Automated) + - 1.1.4 Ensure nosuid option set on /tmp partition (Automated) + - 1.1.5 Ensure noexec option set on /tmp partition (Automated) + - 1.1.6 Ensure /dev/shm is configured (Automated) + - 1.1.7 Ensure nodev option set on /dev/shm partition (Automated) + - 1.1.8 Ensure nosuid option set on /dev/shm partition (Automated) + - 1.1.9 Ensure noexec option set on /dev/shm partition (Automated) + - ~~1.1.10 Ensure separate partition exists for /var (Automated)~~ + - ~~1.1.11 Ensure separate partition exists for /var/tmp (Automated)~~ + - ~~1.1.12 Ensure nodev option set on /var/tmp partition (Automated)~~ + - ~~1.1.13 Ensure nosuid option set on /var/tmp partition (Automated)~~ + - ~~1.1.14 Ensure noexec option set on /var/tmp partition (Automated)~~ + - ~~1.1.15 Ensure separate partition exists for /var/log (Automated)~~ + - ~~1.1.16 Ensure separate partition exists for /var/log/audit - (Automated)~~ + - ~~1.1.17 Ensure separate partition exists for /home (Automated)~~ + - ~~1.1.18 Ensure nodev option set on /home partition (Automated)~~ + - ~~1.1.19 Ensure nodev option set on removable media partitions (Manual)~~ + - ~~1.1.20 Ensure nosuid option set on removable media partitions - (Manual)~~ + - ~~1.1.21 Ensure noexec option set on removable media partitions - (Manual)~~ + - 1.1.22 Ensure sticky bit is set on all world-writable directories - (Automated) + - 1.1.23 Disable Automounting (Automated) + - 1.1.24 Disable USB Storage (Automated) + +**1.2 Configure Software Updates** + + - ~~1.2.1 Ensure package manager repositories are configured (Manual)~~ + - ~~1.2.2 Ensure GPG keys are configured (Manual)~~ + +**1.3 Configure sudo** + + - 1.3.1 Ensure sudo is installed (Automated) + - 1.3.2 Ensure sudo commands use pty (Automated) + - 1.3.3 Ensure sudo log file exists (Automated) + +**1.4 Filesystem Integrity Checking** + + - 1.4.1 Ensure AIDE is installed (Automated) + - 1.4.2 Ensure filesystem integrity is regularly checked (Automated) + +**1.5 Secure Boot Settings** + + - 1.5.1 Ensure bootloader password is set (Automated) + - 1.5.2 Ensure permissions on bootloader config are configured - (Automated) + - 1.5.3 Ensure authentication required for single user mode (Automated) + +**1.6 Additional Process Hardening** + - 1.6.1 Ensure XD/NX support is enabled (Automated) + - 1.6.2 Ensure address space layout randomization (ASLR) is enabled - (Automated) + - 1.6.3 Ensure prelink is disabled (Automated) + - 1.6.4 Ensure core dumps are restricted (Automated) + +**1.7 Mandatory Access Control** + - 1.7.1 Configure AppArmor + - 1.7.1.1 Ensure AppArmor is installed (Automated) + - 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration - (Automated) + - 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode - (Automated) + - 1.7.1.4 Ensure all AppArmor Profiles are enforcing (Automated) + +**1.8 Warning Banners** + - 1.8.1 Command Line Warning Banners + - 1.8.1.1 Ensure message of the day is configured properly (Automated) + - 1.8.1.2 Ensure local login warning banner is configured properly - (Automated) 115 + - 1.8.1.3 Ensure remote login warning banner is configured properly - (Automated) + - 1.8.1.4 Ensure permissions on /etc/motd are configured (Automated) + - 1.8.1.5 Ensure permissions on /etc/issue are configured (Automated) + - 1.8.1.6 Ensure permissions on /etc/issue.net are configured - (Automated) + - 1.9 Ensure updates, patches, and additional security software are - installed (Manual) + - 1.10 Ensure GDM is removed or login is configured (Automated) + +**2 Services** + - 2.1 inetd Services + - 2.1.1 Ensure xinetd is not installed (Automated) + - 2.1.2 Ensure openbsd-inetd is not installed (Automated) + - 2.2 Special Purpose Services + - 2.2.1 Time Synchronization + - 2.2.1.1 Ensure time synchronization is in use (Automated) + - 2.2.1.2 Ensure systemd-timesyncd is configured (Manual) + - 2.2.1.3 Ensure chrony is configured (Automated) + - 2.2.1.4 Ensure ntp is configured (Automated) + - 2.2.2 Ensure X Window System is not installed (Automated) + - 2.2.3 Ensure Avahi Server is not installed (Automated) + - 2.2.4 Ensure CUPS is not installed (Automated) + - 2.2.5 Ensure DHCP Server is not installed (Automated) + - 2.2.6 Ensure LDAP server is not installed (Automated) + - 2.2.7 Ensure NFS is not installed (Automated) + - 2.2.8 Ensure DNS Server is not installed (Automated) + - 2.2.9 Ensure FTP Server is not installed (Automated) + - 2.2.10 Ensure HTTP server is not installed (Automated) + - 2.2.11 Ensure IMAP and POP3 server are not installed (Automated) + - 2.2.12 Ensure Samba is not installed (Automated) + - 2.2.13 Ensure HTTP Proxy Server is not installed (Automated) + - 2.2.14 Ensure SNMP Server is not installed (Automated) + - 2.2.15 Ensure mail transfer agent is configured for local-only mode - (Automated) + - 2.2.16 Ensure rsync service is not installed (Automated) + - 2.2.17 Ensure NIS Server is not installed (Automated) + +**2.3 Service Clients** + - 2.3.1 Ensure NIS Client is not installed (Automated) + - 2.3.2 Ensure rsh client is not installed (Automated) + - 2.3.3 Ensure talk client is not installed (Automated) + - 2.3.4 Ensure telnet client is not installed (Automated) + - 2.3.5 Ensure LDAP client is not installed (Automated) + - 2.3.6 Ensure RPC is not installed (Automated) + - ~~2.4 Ensure nonessential services are removed or masked (Manual)~~ + +**3 Network Configuration** + - 3.1 Disable unused network protocols and devices + - 3.1.1 Disable IPv6 (Manual) + - 3.1.2 Ensure wireless interfaces are disabled (Automated) + +**3.2 Network Parameters (Host-Only)** + - 3.2.1 Ensure packet redirect sending is disabled (Automated) + - 3.2.2 Ensure IP forwarding is disabled (Automated) + +**3.3 Network Parameters (Host and Router)** + - 3.3.1 Ensure source-routed packets are not accepted (Automated) + - 3.3.2 Ensure ICMP redirects are not accepted (Automated) + - 3.3.3 Ensure secure ICMP redirects are not accepted (Automated) + - 3.3.4 Ensure suspicious packets are logged (Automated) + - 3.3.5 Ensure broadcast ICMP requests are ignored (Automated) + - 3.3.6 Ensure bogus ICMP responses are ignored (Automated) + - 3.3.7 Ensure Reverse Path Filtering is enabled (Automated) + - 3.3.8 Ensure TCP SYN Cookies is enabled (Automated) + - 3.3.9 Ensure IPv6 router advertisements are not accepted (Automated) + +**3.4 Uncommon Network Protocols** + - 3.4.1 Ensure DCCP is disabled (Automated) + - 3.4.2 Ensure SCTP is disabled (Automated) + - 3.4.3 Ensure RDS is disabled (Automated) + - 3.4.4 Ensure TIPC is disabled (Automated) + +**3.5 Firewall Configuration** + - 3.5.1 Configure UncomplicatedFirewall + - 3.5.1.1 Ensure Uncomplicated Firewall is installed (Automated) + - 3.5.1.2 Ensure iptables-persistent is not installed (Automated) + - 3.5.1.3 Ensure ufw service is enabled (Automated) + - 3.5.1.4 Ensure loopback traffic is configured (Automated) + - 3.5.1.5 Ensure outbound connections are configured (Manual) + - 3.5.1.6 Ensure firewall rules exist for all open ports (Manual) + - 3.5.1.7 Ensure default deny firewall policy (Automated) + - ~~3.5.2 Configure nftables~~ + - ~~3.5.2.1 Ensure nftables is installed (Automated)~~ + - ~~3.5.2.2 Ensure Uncomplicated Firewall is not installed or disabled - (Automated)~~ + - ~~3.5.2.3 Ensure iptables are flushed (Manual)~~ + - ~~3.5.2.4 Ensure a table exists (Automated)~~ + - ~~3.5.2.5 Ensure base chains exist (Automated)~~ + - ~~3.5.2.6 Ensure loopback traffic is configured (Automated)~~ + - ~~3.5.2.7 Ensure outbound and established connections are configured - (Manual)243~~ + - ~~3.5.2.8 Ensure default deny firewall policy (Automated)~~ + - ~~3.5.2.9 Ensure nftables service is enabled (Automated)~~ + - ~~3.5.2.10 Ensure nftables rules are permanent (Automated)~~ + - ~~3.5.3 Configure iptables~~ + - ~~3.5.3.1.1 Ensure iptables packages are installed (Automated)~~ + - ~~3.5.3.1.2 Ensure nftables is not installed (Automated)~~ + - ~~3.5.3.1.3 Ensure Uncomplicated Firewall is not installed or disabled - (Automated)~~ + - ~~3.5.3.2.1 Ensure default deny firewall policy (Automated)~~ + - ~~3.5.3.2.2 Ensure loopback traffic is configured (Automated)~~ + - ~~3.5.3.2.3 Ensure outbound and established connections are configured - (Manual)~~ + - ~~3.5.3.2.4 Ensure firewall rules exist for all open ports (Automated)~~ + - ~~3.5.3.3.1 Ensure IPv6 default deny firewall policy (Automated)~~ + - ~~3.5.3.3.2 Ensure IPv6 loopback traffic is configured (Automated)~~ + - ~~3.5.3.3.3 Ensure IPv6 outbound and established connections are - configured (Manual)~~ + - ~~3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports - (Manual)~~ + +**4 Logging and Auditing** + - 4.1 Configure System Accounting (auditd) + - 4.1.1 Ensure auditing is enabled + - 4.1.1.1 Ensure auditd is installed (Automated) + - 4.1.1.2 Ensure auditd service is enabled (Automated) + - 4.1.1.3 Ensure auditing for processes that start prior to auditd is - enabled (Automated) + - 4.1.1.4 Ensure audit_backlog_limit is sufficient (Automated) + - 4.1.2 Configure Data Retention + - 4.1.2.1 Ensure audit log storage size is configured (Automated) + - 4.1.2.2 Ensure audit logs are not automatically deleted (Automated) + - 4.1.2.3 Ensure system is disabled when audit logs are full - (Automated) + - 4.1.3 Ensure events that modify date and time information are - collected (Automated) + - 4.1.4 Ensure events that modify user/group information are collected - (Automated) + - 4.1.5 Ensure events that modify the system's network environment are - collected (Automated) + - 4.1.6 Ensure events that modify the system's Mandatory Access - Controls are collected (Automated) + - 4.1.7 Ensure login and logout events are collected (Automated) + - 4.1.8 Ensure session initiation information is collected (Automated) + - 4.1.9 Ensure discretionary access control permission modification - events are collected (Automated) + - 4.1.10 Ensure unsuccessful unauthorized file access attempts are - collected (Automated) + - 4.1.11 Ensure use of privileged commands is collected (Automated) + - 4.1.12 Ensure successful file system mounts are collected (Automated) + - 4.1.13 Ensure file deletion events by users are collected (Automated) + - 4.1.14 Ensure changes to system administration scope (sudoers) is - collected (Automated) + - 4.1.15 Ensure system administrator command executions (sudo) are - collected (Automated) + - 4.1.16 Ensure kernel module loading and unloading is collected - (Automated) + - 4.1.17 Ensure the audit configuration is immutable (Automated) + +**4.2 Configure Logging** + - 4.2.1 Configure rsyslog + - 4.2.1.1 Ensure rsyslog is installed (Automated) + - 4.2.1.2 Ensure rsyslog Service is enabled (Automated) + - 4.2.1.3 Ensure logging is configured (Manual) + - 4.2.1.4 Ensure rsyslog default file permissions configured - (Automated) + - 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log - host (Automated) + - 4.2.1.6 Ensure remote rsyslog messages are only accepted on - designated log hosts. (Manual) + - 4.2.2 Configure journald + - 4.2.2.1 Ensure journald is configured to send logs to rsyslog - (Automated) + - 4.2.2.2 Ensure journald is configured to compress large log files - (Automated) + - 4.2.2.3 Ensure journald is configured to write logfiles to - persistent disk (Automated) + - 4.2.3 Ensure permissions on all logfiles are configured (Automated) + - 4.3 Ensure logrotate is configured (Manual) + - 4.4 Ensure logrotate assigns appropriate permissions (Automated) + +**5 Access, Authentication and Authorization** + - 5.1 Configure time-based job schedulers + - 5.1.1 Ensure cron daemon is enabled and running (Automated) + - 5.1.2 Ensure permissions on /etc/crontab are configured (Automated) + - 5.1.3 Ensure permissions on /etc/cron.hourly are configured - (Automated) + - 5.1.4 Ensure permissions on /etc/cron.daily are configured - (Automated) + - 5.1.5 Ensure permissions on /etc/cron.weekly are configured - (Automated) + - 5.1.6 Ensure permissions on /etc/cron.monthly are configured - (Automated) + - 5.1.7 Ensure permissions on /etc/cron.d are configured (Automated) + - 5.1.8 Ensure cron is restricted to authorized users (Automated) + - 5.1.9 Ensure at is restricted to authorized users (Automated) + +**5.2 Configure SSH Server** + - 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured - (Automated) + - 5.2.2 Ensure permissions on SSH private host key files are - configured (Automated) + - 5.2.3 Ensure permissions on SSH public host key files are configured - (Automated) + - 5.2.4 Ensure SSH LogLevel is appropriate (Automated) + - 5.2.5 Ensure SSH X11 forwarding is disabled (Automated) + - 5.2.6 Ensure SSH MaxAuthTries is set to 4 or less (Automated) + - 5.2.7 Ensure SSH IgnoreRhosts is enabled (Automated) + - 5.2.8 Ensure SSH HostbasedAuthentication is disabled (Automated) + - 5.2.9 Ensure SSH root login is disabled (Automated) + - 5.2.10 Ensure SSH PermitEmptyPasswords is disabled (Automated) + - 5.2.11 Ensure SSH PermitUserEnvironment is disabled (Automated) + - 5.2.12 Ensure only strong Ciphers are used (Automated) + - 5.2.13 Ensure only strong MAC algorithms are used (Automated) + - 5.2.14 Ensure only strong Key Exchange algorithms are used - (Automated) + - 5.2.15 Ensure SSH Idle Timeout Interval is configured (Automated) + - 5.2.16 Ensure SSH LoginGraceTime is set to one minute or less - (Automated) + - 5.2.17 Ensure SSH access is limited (Automated) + - 5.2.18 Ensure SSH warning banner is configured (Automated) + - 5.2.19 Ensure SSH PAM is enabled (Automated) + - 5.2.20 Ensure SSH AllowTcpForwarding is disabled (Automated) + - 5.2.21 Ensure SSH MaxStartups is configured (Automated) + - 5.2.22 Ensure SSH MaxSessions is limited (Automated) + +**5.3 Configure PAM** + - 5.3.1 Ensure password creation requirements are configured - (Automated) + - 5.3.2 Ensure lockout for failed password attempts is configured - (Automated) + - 5.3.3 Ensure password reuse is limited (Automated) + - 5.3.4 Ensure password hashing algorithm is SHA-512 (Automated) + +**5.4 User Accounts and Environment** + - 5.4.1 Set Shadow Password Suite Parameters + - 5.4.1.1 Ensure password expiration is 365 days or less (Automated) + - 5.4.1.2 Ensure minimum days between password changes is configured - (Automated) + - 5.4.1.3 Ensure password expiration warning days is 7 or more - (Automated) + - 5.4.1.4 Ensure inactive password lock is 30 days or less (Automated) + - 5.4.1.5 Ensure all users last password change date is in the past - (Automated) + - 5.4.2 Ensure system accounts are secured (Automated) + - 5.4.3 Ensure default group for the root account is GID 0 (Automated) + - 5.4.4 Ensure default user umask is 027 or more restrictive - (Automated) + - 5.4.5 Ensure default user shell timeout is 900 seconds or less - (Automated) + - 5.5 Ensure root login is restricted to system console (Manual) + - 5.6 Ensure access to the su command is restricted (Automated) + +**6 System Maintenance** + - 6.1 System File Permissions + - ~~6.1.1 Audit system file permissions (Manual)~~ + - 6.1.2 Ensure permissions on /etc/passwd are configured (Automated) + - 6.1.3 Ensure permissions on /etc/gshadow- are configured Automated) + - 6.1.4 Ensure permissions on /etc/shadow are configured (Automated) + - 6.1.5 Ensure permissions on /etc/group are configured (Automated) + - 6.1.6 Ensure permissions on /etc/passwd- are configured (Automated) + - 6.1.7 Ensure permissions on /etc/shadow- are configured (Automated) + - 6.1.8 Ensure permissions on /etc/group- are configured (Automated) + - 6.1.9 Ensure permissions on /etc/gshadow are configured (Automated) + - 6.1.10 Ensure no world writable files exist (Automated) + - 6.1.11 Ensure no unowned files or directories exist (Automated) + - 6.1.12 Ensure no ungrouped files or directories exist (Automated) + - ~~6.1.13 Audit SUID executables (Manual)~~ + - ~~6.1.14 Audit SGID executables (Manual)~~ + +**6.2 User and Group Settings** + - 6.2.1 Ensure password fields are not empty (Automated) + - ~~6.2.2 Ensure root is the only UID 0 account (Automated)~~ + - ~~6.2.3 Ensure root PATH Integrity (Automated)~~ + - 6.2.4 Ensure all users' home directories exist (Automated) + - 6.2.5 Ensure users' home directories permissions are 750 or more - restrictive (Automated) + - 6.2.6 Ensure users own their home directories (Automated) + - 6.2.7 Ensure users' dot files are not group or world writable - (Automated) + - ~~6.2.8 Ensure no users have .forward files (Automated)~~ + - ~~6.2.9 Ensure no users have .netrc files (Automated)~~ + - ~~6.2.10 Ensure users' .netrc Files are not group or world accessible - (Automated)~~ + - ~~6.2.11 Ensure no users have .rhosts files (Automated)~~ + - ~~6.2.12 Ensure aFor ll groups in /etc/passwd exist in /etc/group - (Automated)~~ + - ~~6.2.13 Ensure no duplicate UIDs exist (Automated)~~ + - ~~6.2.14 Ensure no duplicate GIDs exist (Automated)~~ + - ~~6.2.15 Ensure no duplicate user names exist (Automated)~~ + - ~~6.2.16 Ensure no duplicate group names exist (Automated)~~ + - ~~6.2.17 Ensure shadow group is empty (Automated)~~ + +_________________ +## Troubleshooting +* If you want to run the playbook in the same machine, make sure to add this to run task: +``` +- hosts: 127.0.0.1 + connection: local +``` +* if you faced issue with execut, try to run the playbook in another path, like `/srv/`. +* For error like this `stderr: chage: user 'ubuntu' does not exist in /etc/passed`, make sure to update config under `CIS-Ubuntu-20.04-Ansible/defaults/main.yml` + + +```Bash +TASK [CIS-Ubuntu-20.04-Ansible : 1.4.1 Ensure AIDE is installed] ***********************************************************************************************************************************************************************************************************fatal: [192.168.80.129]: FAILED! => {"cache_update_time": 1611229159, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'nullmailer' 'aide-common' 'aide' -o APT::Install-Recommends=no' failed: E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 5194 (unattended-upgr)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n", "rc": 100, "stderr": "E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 5194 (unattended-upgr)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?\n", "stderr_lines": ["E: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 5194 (unattended-upgr)", "E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?"], "stdout": "", "stdout_lines": []} +``` +* For the above error you need to make sure there is not apt process running in the background, or you must wait until apt finish the process. + +```Bash +TASK [CIS-Ubuntu-20.04-Ansible : 5.4.1.1 Ensure password expiration is 365 days or less | chage] ***************************************************************************************************************************************************************************failed: [192.168.80.129] (item=ubuntu) => {"ansible_loop_var": "item", "changed": true, "cmd": ["chage", "--maxdays", "300", "ubuntu"], "delta": "0:00:00.005478", "end": "2021-01-21 12:49:45.463615", "item": "ubuntu", "msg": "non-zero return code", "rc": 1, "start": "2021-01-21 12:49:45.458137", "stderr": "chage: user 'ubuntu' does not exist in /etc/passwd", "stderr_lines": ["chage: user 'ubuntu' does not exist in /etc/passwd"], "stdout": "", "stdout_lines": []} +``` +* Make sure you set the right user under defaults/main.yaml + +_________________ + + +License +------- + + GNU GENERAL PUBLIC LICENSE + +Author Information +------------------ + +The role was originally developed by [Ali Saleh Baker](https://www.linkedin.com/in/alivx/). + +When contributing to this repository, please first discuss the change you wish to make via a GitHub issue, email, or via other channels with me :) + diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml index 297afb6..c4155f9 100644 --- a/tasks/section_1_Initial_Setup.yaml +++ b/tasks/section_1_Initial_Setup.yaml @@ -1,16 +1,16 @@ --- # Check default passwords have changed -- block: - - name: "Exit: If check bootloader_credentials.password has not been changed" - fail: - msg: "Exiting: Change bootloader_credentials.password from b00tl04derPwd in defaults/main.yml" - when: set_bootloader_credentials and bootloader_credentials.password is match ("b00tl04derPwd") +# - block: +# - name: "Exit: If check bootloader_credentials.password has not been changed" +# fail: +# msg: "Exiting: Change bootloader_credentials.password from b00tl04derPwd in defaults/main.yml" +# when: set_bootloader_credentials and bootloader_credentials.password is match ("b00tl04derPwd") -- block: - - name: "Exit: If check root_password has not been changed" - fail: - msg: "Exiting: Change root_password from r00tP4ssw0rd in defaults/main.yml" - when: set_root_password and root_password is match ("r00tP4ssw0rd") +# - block: +# - name: "Exit: If check root_password has not been changed" +# fail: +# msg: "Exiting: Change root_password from r00tP4ssw0rd in defaults/main.yml" +# when: set_root_password and root_password is match ("r00tP4ssw0rd") # 1.1.1 Disable unused filesystems # 1.1.1.1 Ensure mounting of cramfs filesystems is disabled @@ -62,7 +62,7 @@ - section1 - level_1_server - level_1_workstation - - 1.1.1.2 + - "1.1.1.2" - filesystems - freevxfs - modprobe @@ -141,21 +141,47 @@ - filesystems - hfsplus - modprobe -# 1.1.1.6 Ensure mounting of udf filesystems is disabled +# 1.1.1.6 Ensure mounting of squashfs filesystems is disabled +# The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems +# (similar to cramfs ). A squashfs image can be used without having to first decompress the image. +#Disabling squashfs will prevent the use of snap. Snap is a package manager for Linux for installing Snap packages +- name: 1.1.1.6 Ensure mounting of squashfs filesystems is disabled + block: + - name: 1.1.1.6 Ensure mounting of squashfs filesystems is disabled + lineinfile: + dest: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: "install squashfs /bin/true" + state: present + create: true + - name: 1.1.1.6 Ensure mounting of squashfs filesystems is disabled | modprobe + modprobe: + name: squashfs + state: absent + when: disable_squashfs + tags: + - section1 + - level_1_server + - level_1_workstation + - 1.1.1.5 + - filesystems + - squashfs + - modprobe +# 1.1.1.7 Ensure mounting of udf filesystems is disabled # The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and # ECMA-167 specifications. This is an open vendor filesystem type for data storage on a # broad range of media. This filesystem type is necessary to support writing DVDs and newer # optical disc formats. -- name: 1.1.1.6 Ensure mounting of udf filesystems is disabled +- name: 1.1.1.7 Ensure mounting of udf filesystems is disabled block: - - name: 1.1.1.6 Ensure mounting of udf filesystems is disabled + - name: 1.1.1.7 Ensure mounting of udf filesystems is disabled lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" state: present create: true - - name: 1.1.1.6 Ensure mounting of udf filesystems is disabled | modprobe + - name: 1.1.1.7 Ensure mounting of udf filesystems is disabled | modprobe modprobe: name: udf state: absent @@ -163,7 +189,7 @@ tags: - section1 - level_1_server - level_1_workstation - - 1.1.1.6 + - 1.1.1.7 - filesystems - udf - modprobe @@ -289,9 +315,9 @@ - 1.1.10 - manual # 1.1.11 Ensure separate partition exists for /var/tmp -# 1.1.12 Ensure nodev option set on /var/tmp partition -# 1.1.13 Ensure nosuid option set on /var/tmp partition -# 1.1.14 Ensure noexec option set on /var/tmp partition +# 1.1.12 Ensure /var/tmp partition includes the nodev option +# 1.1.13 Ensure /var/tmp partition includes the nosuid option +# 1.1.14 Ensure /var/tmp partition includes the noexec option # The /var/tmp directory is a world-writable directory used for temporary storage by all # users and some applications. - name: "1.1.12 Ensure nodev option set on /var/tmp partition\n @@ -315,6 +341,7 @@ - 1.1.14 - mount - tmp + - manual # 1.1.15 Ensure separate partition exists for /var/log - name: 1.1.15 Ensure separate partition exists for /var/log debug: @@ -345,7 +372,7 @@ - level_2_workstation - 1.1.17 - manual -# 1.1.18 Ensure nodev option set on /home partition +#1.1.18 Ensure /home partition includes the nodev option - name: 1.1.18 Ensure nodev option set on /home partition debug: msg: For new installations, during installation create a custom partition setup and specify a separate partition @@ -552,18 +579,18 @@ # files are changed. When setting up AIDE, decide internally what the site policy will be # concerning integrity checking. Review the AIDE quick start guide and AIDE documentation # before proceeding. -# 1.4.1 Ensure AIDE is installed +# 1.3.1 Ensure AIDE is installed # AIDE takes a snapshot of filesystem state including modification times, permissions, and # file hashes which can then be used to compare against the current state of the filesystem to # detect modifications to the system. # Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up # their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus # avoiding false positives from AIDE. -- name: 1.4.1 Ensure AIDE is installed +- name: 1.3.1 Ensure AIDE is installed block: - - name: 1.4.1 Ensure AIDE is installed + - name: 1.3.1 Ensure AIDE is installed apt: - name: ["nullmailer", "aide-common", "aide"] + name: [ "aide-common", "aide"] state: present install_recommends: false - name: Configure default AIDE excludes file @@ -594,7 +621,7 @@ - level_1_server - level_1_workstation - 1.4.1 -# 1.4.2 Ensure filesystem integrity is regularly checked +# 1.3.2 Ensure filesystem integrity is regularly checked # Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. # Notes: # The checking in this recommendation occurs every day at 5am. Alter the frequency and @@ -603,7 +630,7 @@ # been included as an optional alternative to using cron # Ubuntu advises using /usr/bin/aide.wrapper rather than calling /usr/bin/aide # directly in order to protect the database and prevent conflicts -- name: 1.4.2 Ensure filesystem integrity is regularly checked | Cron +- name: 1.3.2 Ensure filesystem integrity is regularly checked | Cron cron: name: Run AIDE integrity check weekly user: root @@ -617,11 +644,15 @@ - section1 - level_1_server - level_1_workstation - - 1.4.2 + - 1.3.2 + +# 1.4.1 Ensure permissions on bootloader config are not overridden +# TODO + # 1.5 Secure Boot Settings # The recommendations in this section focus on securing the bootloader and settings # involved in the boot process directly. -# 1.5.1 Ensure bootloader password is set +# 1.4.2 Ensure bootloader password is set # Setting the boot loader password will require that anyone rebooting the system must enter # a password before being able to set command line boot parameters # Note: This recommendation is designed around the grub bootloader, if LILO or another @@ -635,19 +666,19 @@ - meta: end_play when: set_bootloader_credentials and bootloader_credentials.password is match ("b00tl04derPwd") -- name: 1.5.1 Ensure bootloader password is set +- name: 1.4.2 Ensure bootloader password is set block: - - name: 1.5.1 Ensure bootloader password is set - step 1 - check bootloader_credentials.password has been changed + - name: 1.4.2 Ensure bootloader password is set - step 1 - check bootloader_credentials.password has been changed fail: msg: "Exiting: Change bootloader_credentials.password from b00tl04derPwd in defaults/main.yml" when: set_bootloader_credentials and bootloader_credentials.password is match ("b00tl04derPwd") - - name: 1.5.1 Ensure bootloader password is set - step 2 - check if it isn't already set up + - name: 1.4.2 Ensure bootloader password is set - step 2 - check if it isn't already set up shell: /bin/grep -e "^[\s]*password" /boot/grub/grub.cfg | /usr/bin/awk '{print} END {if (NR == 0) print "continue" ; else print "stop"}' register: result ignore_errors: true - - name: 1.5.1 Ensure bootloader password is set - step 3 - create bootloader password hash + - name: 1.4.2 Ensure bootloader password is set - step 3 - create bootloader password hash # bash -c must be used in this strange way or mysterious errors are thrown shell: /bin/bash -c "echo -e '{{ bootloader_credentials.password }}\n{{ bootloader_credentials.password }}' | grub-mkpasswd-pbkdf2" | /bin/grep 'hash of your password' | /usr/bin/awk '{print $7}' register: password @@ -656,7 +687,7 @@ - bootloader_credentials.user - bootloader_credentials.password - - name: 1.5.1 Ensure bootloader password is set - step 4 - create custom grub configuration file + - name: 1.4.2 Ensure bootloader password is set - step 4 - create custom grub configuration file blockinfile: dest: /etc/grub.d/99_custom create: yes @@ -673,7 +704,7 @@ - bootloader_credentials.user - bootloader_credentials.password - - name: 1.5.1 Ensure bootloader password is set - step 4 - update grub + - name: 1.4.2 Ensure bootloader password is set - step 4 - update grub shell: update-grub when: - result.stdout == "continue" @@ -684,15 +715,15 @@ - section1 - level_1_server - level_1_workstation - - 1.5.1 + - 1.4.2 -# 1.5.2 Ensure permissions on bootloader config are configured +# 1.4.3 Ensure permissions on bootloader config are configured # The grub configuration file contains information on boot settings and passwords for # unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub/ . # Note: This recommendation is designed around the grub bootloader, if LILO or another # bootloader is in use in your environment enact equivalent settings. Replace # /boot/grub/grub.cfg with the appropriate grub configuration file for your environment -- name: 1.5.2 Ensure permissions on bootloader config are configured +- name: 1.4.3 Ensure permissions on bootloader config are configured file: path: "/boot/grub/grub.cfg" owner: root @@ -702,34 +733,36 @@ - section1 - level_1_server - level_1_workstation - - 1.5.2 -# 1.5.3 Ensure authentication required for single user mode + - 1.4.3 +# 1.4.4 Ensure authentication required for single user mode # Single user mode is used for recovery when the system detects an issue during boot or by # manual selection from the bootloader. -- name: 1.5.3 Ensure authentication required for single user mode +- name: 1.4.4 Ensure authentication required for single user mode block: - - name: 1.5.3 Ensure authentication required for single user mode - check root_password has been changed + - name: 1.4.4 Ensure authentication required for single user mode - check root_password has been changed fail: msg: "Exiting: Change root_password from r00tP4ssw0rd in defaults/main.yml" when: set_root_password and root_password is match ("r00tP4ssw0rd") - - name: 1.5.3 Ensure authentication required for single user mode - check if a root password already exists + - name: 1.4.4 Ensure authentication required for single user mode - check if a root password already exists shell: /bin/grep -e "^root:[\*]:" /etc/shadow | /usr/bin/awk 'END {if (NR != 0) print "continue" ; else print "stop"}' register: result ignore_errors: true - - name: 1.5.3 Ensure authentication required for single user mode - create a root password - # bash must be used or mysterious errors are thrown - shell: /bin/bash -c "echo -e '{{ root_password }}\n{{ root_password }}' | passwd root" - when: result.stdout == "continue" + rescue: + - name: 1.4.4 Ensure authentication required for single user mode - create a root password + user: + name: root + update_password: always + password: "{{root_password | password_hash('sha512')}}" when: set_root_password and root_password tags: - section1 - level_1_server - level_1_workstation - - 1.5.3 -# 1.6 Additional Process Hardening -# 1.6.1 Ensure XD/NX support is enabled + - 1.4.4 +# 1.5 Additional Process Hardening +# 1.5.1 Ensure XD/NX support is enabled # Recent processors in the x86 family support the ability to prevent code execution on a per # memory page basis. Generically and on AMD processors, this ability is called No Execute # (NX), while on Intel processors it is called Execute Disable (XD). This ability can help @@ -740,14 +773,14 @@ # Note: Ensure your system supports the XD or NX bit and has PAE support before implementing # this recommendation as this may prevent it from booting if these are not supported by your # hardware -- name: 1.6.1 Ensure XD/NX support is enabled +- name: 1.5.1 Ensure XD/NX support is enabled block: - - name: 1.6.1 Ensure XD/NX support is enabled + - name: 1.5.1 Ensure XD/NX support is enabled shell: | dmesg | grep -E "NX|XD" | grep " active" register: xdnx ignore_errors: yes - - name: 1.6.1 Ensure XD/NX support is enabled + - name: 1.5.1 Ensure XD/NX support is enabled debug: msg: | On 32 bit systems install a kernel with PAE support, no installation is required on 64 bit @@ -760,11 +793,11 @@ - section1 - level_1_server - level_1_workstation - - 1.6.1 -# 1.6.2 Ensure address space layout randomization (ASLR) is enabled + - 1.5.1 +# 1.5.2 Ensure address space layout randomization (ASLR) is enabled # Address space layout randomization (ASLR) is an exploit mitigation technique which # randomly arranges the address space of key data areas of a process. -- name: 1.6.2 Ensure address space layout randomization (ASLR) is enabled +- name: 1.5.2 Ensure address space layout randomization (ASLR) is enabled sysctl: name: kernel.randomize_va_space value: "2" @@ -776,14 +809,14 @@ - section1 - level_1_server - level_1_workstation - - 1.6.2 -# 1.6.3 Ensure prelink is disabled -- name: 1.6.3 Ensure prelink is disabled + - 1.5.2 +# 1.5.3 Ensure prelink is not installed +- name: 1.5.3 Ensure prelink is not installed block: - - name: 1.6.3 Ensure prelink is disabled + - name: 1.5.3 Ensure prelink is not installed command: prelink -ua ignore_errors: yes - - name: 1.6.3 Ensure prelink is disabled + - name: 1.5.3 Ensure prelink is not installed apt: name: prelink state: absent @@ -791,15 +824,15 @@ - section1 - level_1_server - level_1_workstation - - 1.6.3 -# 1.6.4 Ensure core dumps are restricted + - 1.5.3 +# 1.5.4 Ensure core dumps are restricted # A core dump is the memory of an executable program. It is generally used to determine # why a program aborted. It can also be used to glean confidential information from a core # file. The system provides the ability to set a soft limit for core dumps, but this can be # overridden by the user. -- name: 1.6.4 Ensure core dumps are restricted +- name: 1.5.4 Ensure core dumps are restricted block: - - name: 1.6.4 Ensure core dumps are restricted | sysctl + - name: 1.5.4 Ensure core dumps are restricted | sysctl sysctl: name: fs.suid_dumpable value: "0" @@ -807,7 +840,7 @@ reload: true sysctl_set: true ignoreerrors: true - - name: 1.6.4 Ensure core dumps are restricted | limits.conf + - name: 1.5.4 Ensure core dumps are restricted | limits.conf lineinfile: dest: /etc/security/limits.conf line: "* hard core 0" @@ -815,11 +848,11 @@ state: present create: true insertbefore: "# End of file" - - name: 1.6.4 Ensure core dumps are restricted | apt + - name: 1.5.4 Ensure core dumps are restricted | apt apt: name: systemd-coredump state: present - - name: 1.6.4 Ensure core dumps are restricted | coredump.conf + - name: 1.5.4 Ensure core dumps are restricted | coredump.conf lineinfile: dest: /etc/systemd/coredump.conf line: "Storage=none" @@ -827,7 +860,7 @@ state: present create: true insertbefore: "# End of file" - - name: 1.6.4 Ensure core dumps are restricted | coredump.conf + - name: 1.5.4 Ensure core dumps are restricted | coredump.conf lineinfile: dest: /etc/systemd/coredump.conf line: "ProcessSizeMax=0" @@ -835,14 +868,14 @@ state: present create: true insertbefore: "# End of file" - - name: 1.6.4 Ensure core dumps are restricted | reload + - name: 1.5.4 Ensure core dumps are restricted | reload shell: systemctl daemon-reload tags: - section1 - level_1_server - level_1_workstation - - 1.6.4 -# 1.7 Mandatory Access Control + - 1.5.4 +# 1.6 Mandatory Access Control # Mandatory Access Control (MAC) provides an additional layer of access restrictions to # processes on top of the base Discretionary Access Controls. By restricting how processes # can access files and resources on a system the potential impact from vulnerabilities in the @@ -850,10 +883,10 @@ # Impact: Mandatory Access Control limits the capabilities of applications and daemons on a # system, while this can prevent unauthorized access the configuration of MAC can be complex # and difficult to implement correctly preventing legitimate access from occurring. -# 1.7.1 Configure AppArmor -# 1.7.1.1 Ensure AppArmor is installed +# 1.6.1 Configure AppArmor +# 1.6.1.1 Ensure AppArmor is installed # AppArmor provides Mandatory Access Controls. -- name: 1.7.1.1 Ensure AppArmor is installed +- name: 1.6.1.1 Ensure AppArmor is installed apt: name: ["apparmor"] state: present @@ -862,21 +895,21 @@ - section1 - level_1_server - level_1_workstation - - 1.7.1.1 -# 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration + - 1.6.1.1 +# 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration # Configure AppArmor to be enabled at boot time and verify that it has not been overwritten # by the bootloader boot parameters. # Note: This recommendation is designed around the grub bootloader, if LILO or another # bootloader is in use in your environment enact equivalent settings. -- name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration +- name: 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration block: - - name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration + - name: 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration replace: path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)' replace: '\1 apparmor=1 security=apparmor\2' register: output_1_7_1_2 - - name: 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration | reload + - name: 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration | reload shell: | update-grub when: output_1_7_1_2 | bool @@ -884,11 +917,11 @@ - section1 - level_1_server - level_1_workstation - - 1.7.1.2 -# 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode + - 1.6.1.2 +# 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode # AppArmor profiles define what resources applications are able to access. -- name: "1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode\n - 1.7.1.4 Ensure all AppArmor Profiles are enforcing" +- name: "1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode\n + 1.6.1.4 Ensure all AppArmor Profiles are enforcing" shell: | find /etc/apparmor.d -maxdepth 1 -type f | while read file do @@ -900,17 +933,17 @@ - section1 - level_2_server - level_2_workstation - - 1.7.1.3 - - 1.7.1.4 -# 1.8 Warning Banners + - 1.6.1.3 + - 1.6.1.4 +# 1.7 Warning Banners # Presenting a warning message prior to the normal user login may assist in the prosecution # of trespassers on the computer system. Changing some of these login banners also has the # side effect of hiding OS version information and other detailed system information from # attackers attempting to target specific exploits at a system. -# 1.8.1 Command Line Warning Banners +# 1.7.1 Command Line Warning Banners # The /etc/motd , /etc/issue , and /etc/issue.net files govern warning banners for # standard command line logins for both local and remote users. -# 1.8.1.1 Ensure message of the day is configured properly +# 1.7.1 Ensure message of the day is configured properly # The contents of the /etc/motd file are displayed to users after login and function as a # message of the day for authenticated users. # Unix-based systems have typically displayed information about the OS release and patch @@ -921,8 +954,8 @@ # We allow overwriting the default motd message (contained in files/templates/motd.j2) by a custom template, whose path # has to be defined in the variable "custom_motd_file_path". -- name: "1.8.1.1 Ensure message of the day is configured properly\n - 1.8.1.4 Ensure permissions on /etc/motd are configured" +- name: "1.7.1 Ensure message of the day is configured properly\n + 1.7.4 Ensure permissions on /etc/motd are configured " template: src: "{{ lookup('first_found', motd, errors='ignore') }}" dest: /etc/motd @@ -937,11 +970,11 @@ - section1 - level_1_server - level_1_workstation - - 1.8.1.1 - - 1.8.1.4 -# 1.8.1.2 Ensure local login warning banner is configured properly -- name: "1.8.1.2 Ensure local login warning banner is configured properly\n - 1.8.1.5 Ensure permissions on /etc/issue are configured" + - 1.7.1 + - 1.7.4 +# 1.7.2 Ensure local login warning banner is configured properly +- name: "1.7.2 Ensure local login warning banner is configured properly\n + 1.7.5 Ensure permissions on /etc/issue are configured" template: src: files/templates/issue.j2 dest: /etc/issue @@ -952,11 +985,9 @@ - section1 - level_1_server - level_1_workstation - - 1.8.1.2 - - 1.8.1.5 -# 1.8.1.3 Ensure remote login warning banner is configured properly -- name: "1.8.1.3 Ensure remote login warning banner is configured properly\n - 1.8.1.6 Ensure permissions on /etc/issue.net are configured" + - 1.7.2 +# 1.7.3 Ensure remote login warning banner is configured properly +- name: "1.7.3 Ensure remote login warning banner is configured properly" template: src: files/templates/issue.net.j2 dest: /etc/issue.net @@ -967,26 +998,48 @@ - section1 - level_1_server - level_1_workstation - - 1.8.1.3 - - 1.8.1.6 -# 1.9 Ensure updates, patches, and additional security software are installed -- name: 1.9 Ensure updates, patches, and additional security software are installed - apt: - upgrade: dist - ignore_errors: yes + - 1.7.3 +#The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. +- name: 1.7.6 Ensure permissions on /etc/issue.net are configured + ansible.builtin.file: + path: /etc/issue.net + owner: root + group: root + mode: "u-x,go-wx" tags: - section1 - level_1_server - level_1_workstation - - "1.9" -# 1.10 Ensure GDM is removed or login is configured -- name: 1.10 Ensure GDM is removed or login is configured - template: - src: files/templates/greeter.dconf-defaults.j2 - dest: /etc/gdm3/greeter.dconf-defaults + - 1.7.6 + +# 1.8 GNOME Display Manager +# Note: If GDM is not installed on the system, this section can be skipped +# 1.8.1 Ensure GNOME Display Manager is removed +# apt purge gdm3 +# 1.8.2 Ensure GDM login banner is configured +# Edit or create the file /etc/gdm3/greeter.dconf-defaults and add the following: +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='' +# disable-user-list=true +# Then dpkg-reconfigure gdm3 +# 1.8.3 Ensure disable-user-list is enabled +# Edit or create the file /etc/gdm3/greeter.dconf-defaults and edit or add the following: +# [org/gnome/login-screen] +# banner-message-enable=true +# banner-message-text='' +# disable-user-list=true +# Then dpkg-reconfigure gdm3 +# 1.8.4 Ensure XDCMP is not enabled +# Edit the file /etc/gdm3/custom.conf and remove the line: +# Enable=true +# 1.9 Ensure updates, patches, and additional security software are installed +- name: 1.9 Ensure updates, patches, and additional security software are installed + apt: + upgrade: dist ignore_errors: yes tags: - section1 - level_1_server - level_1_workstation - - "1.10" + - "1.9" \ No newline at end of file diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml index 8293293..50af7c5 100644 --- a/tasks/section_2_Services.yaml +++ b/tasks/section_2_Services.yaml @@ -37,7 +37,7 @@ # should be followed, all other time synchronization recommendations should be skipped # If access to a physical host's clock is available and configured according to site policy, # systemd-timesyncd should be stopped and masked -# 2.2.1.1 Ensure time synchronization is in use +# 2.1.1.1 Ensure time synchronization is in use # System time should be synchronized between all systems in an environment. This is # typically done by establishing an authoritative time server or set of servers and having all # systems synchronize their clocks to them. @@ -46,14 +46,14 @@ # Only one time synchronization method should be in use on the system # If access to a physical host's clock is available and configured according to site policy, # systemd-timesyncd should be stopped and masked -- name: 2.2.1.1 Ensure time synchronization is in use +- name: 2.1.1.1 Ensure time synchronization is in use block: - - name: 2.2.1.1 Ensure time synchronization is in use - service install + - name: 2.1.1.1 Ensure time synchronization is in use - service install apt: name: ["ntp"] state: present install_recommends: false - - name: 2.2.1.1 Ensure time synchronization is in use - service start + - name: 2.1.1.1 Ensure time synchronization is in use - service start service: name: "ntp" state: started @@ -64,8 +64,8 @@ - section2 - level_1_server - level_1_workstation - - 2.2.1.1 -# 2.2.1.2 Ensure systemd-timesyncd is configured + - 2.1.1.1 +# 2.1.1.2 Ensure systemd-timesyncd is configured # The systemd-timesyncd service specifically implements only SNTP. This minimalistic # service will set the system clock for large offsets or slowly adjust it for smaller deltas. # More complex use cases are not covered by systemd-timesyncd @@ -73,16 +73,16 @@ # section skipped # This recommendation only applies if timesyncd is in use on the system # Only one time synchronization method should be in use on the system -- name: 2.2.1.2 Ensure systemd-timesyncd is configured +- name: 2.1.1.2 Ensure systemd-timesyncd is configured block: - - name: 2.2.1.2 Ensure systemd-timesyncd is configured | install systemd-timesyncd + - name: 2.1.1.2 Ensure systemd-timesyncd is configured | install systemd-timesyncd apt: name: systemd-timesyncd state: present - - name: 2.2.1.2 Ensure systemd-timesyncd is configured | set timezone + - name: 2.1.1.2 Ensure systemd-timesyncd is configured | set timezone timezone: name: "{{ timesync_timezone }}" - - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Configure systemd-timesyncd + - name: 2.1.1.2 Ensure systemd-timesyncd is configured | Configure systemd-timesyncd template: src: files/templates/timesyncd.conf.j2 dest: /etc/systemd/timesyncd.conf @@ -90,30 +90,30 @@ owner: root group: root notify: reloadTimesyncd - - name: 2.2.1.2 Ensure systemd-timesyncd is configured | Start and enable systemd-timesyncd + - name: 2.1.1.2 Ensure systemd-timesyncd is configured | Start and enable systemd-timesyncd service: name: systemd-timesyncd.service enabled: yes state: started - when: "{{enable_systemdtimesyncd}} == True" + when: enable_systemdtimesyncd tags: - section2 - level_1_server - level_1_workstation - - 2.2.1.2 -# 2.2.1.3 Ensure chrony is configured -- name: 2.2.1.3 Ensure chrony is configured + - 2.1.1.2 +# 2.1.1.3 Ensure chrony is configured +- name: 2.1.1.3 Ensure chrony is configured block: - - name: 2.2.1.3 Ensure chrony is configured | Install Chrony + - name: 2.1.1.3 Ensure chrony is configured | Install Chrony apt: name: "chrony" state: present - - name: 2.2.1.3 Ensure chrony is configured | Start Chrony service + - name: 2.1.1.3 Ensure chrony is configured | Start Chrony service service: name: "chrony" state: started enabled: yes - - name: 2.2.1.3 Ensure chrony is configured | Generate configuration + - name: 2.1.1.3 Ensure chrony is configured | Generate configuration template: src: files/templates/chrony.conf.j2 dest: "/etc/chrony/chrony.conf" @@ -121,23 +121,23 @@ group: root mode: 0644 notify: RestartChronyservice - when: "{{chronyEnable}} == True" + when: chronyEnable tags: - section2 - level_1_server - level_1_workstation - - 2.2.1.3 -# 2.2.1.4 Ensure ntp is configured + - 2.1.1.3 +# 2.1.1.4 Ensure ntp is configured # ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to # synchronize system clocks across a variety of systems and use a source that is highly # accurate. More information on NTP can be found at http://www.ntp.org. ntp can be # configured to be a client and/or a server. -- name: 2.2.1.4 Ensure ntp is configured +- name: 2.1.1.4 Ensure ntp is configured block: - name: Check if NTP is installed package_facts: manager: "auto" - - name: 2.2.1.4 Ensure ntp is configured | modify /etc/ntp.conf + - name: 2.1.1.4 Ensure ntp is configured | modify /etc/ntp.conf template: src: files/templates/ntp.conf.j2 dest: /etc/ntp.conf @@ -145,7 +145,7 @@ group: root mode: 0644 when: "'ntp' in ansible_facts.packages" - - name: 2.2.1.4 Ensure ntp is configured | modify /etc/init.d/ntp + - name: 2.1.1.4 Ensure ntp is configured | modify /etc/init.d/ntp lineinfile: dest: /etc/init.d/ntp regexp: "^RUNASUSER" @@ -155,13 +155,13 @@ - section2 - level_1_server - level_1_workstation - - 2.2.1.4 -# 2.2.2 Ensure X Window System is not installed + - 2.1.1.4 +# 2.1.2 Ensure X Window System is not installed # Many Linux systems run applications which require a Java runtime. Some Linux Java # packages have a dependency on specific X Windows xorg-x11-fonts. One workaround to # avoid this dependency is to use the "headless" Java packages for your specific Java runtime, # if provided by your distribution. -- name: 2.2.2 Ensure X Window System is not installed +- name: 2.1.2 Ensure X Window System is not installed apt: name: ["xserver-xorg*"] state: absent @@ -169,14 +169,14 @@ tags: - section2 - level_1_server - - 2.2.2 -# 2.2.3 Ensure Avahi Server is not installed + - 2.1.2 +# 2.1.3 Ensure Avahi Server is not installed # Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD # service discovery. Avahi allows programs to publish and discover services and hosts # running on a local network with no specific configuration. For example, a user can plug a # computer into a network and Avahi automatically finds printers to print to, files to look at # and people to talk to, as well as network services running on the machine. -- name: 2.2.3 Ensure Avahi Server is not installed +- name: 2.1.3 Ensure Avahi Server is not installed apt: name: avahi-daemon state: absent @@ -185,14 +185,14 @@ - section2 - level_1_server - level_1_workstation - - 2.2.3 -# 2.2.4 Ensure CUPS is not installed + - 2.1.3 +# 2.1.4 Ensure CUPS is not installed # The Common UNIX Print System (CUPS) provides the ability to print to both local and # network printers. A system running CUPS can also accept print jobs from remote systems # and print them to local printers. It also provides a web based remote administration # capability. # Removing CUPS will prevent printing from the system, a common task for workstation systems. -- name: 2.2.4 Ensure CUPS is not installed +- name: 2.1.4 Ensure CUPS is not installed apt: name: cups state: absent @@ -201,11 +201,11 @@ - section2 - level_1_server - level_2_workstation - - 2.2.4 -# 2.2.5 Ensure DHCP Server is not + - 2.1.4 +# 2.1.5 Ensure DHCP Server is not installed # The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be # dynamically assigned IP addresses. -- name: 2.2.5 Ensure DHCP Server is not installed +- name: 2.1.5 Ensure DHCP Server is not installed apt: name: isc-dhcp-server state: absent @@ -214,12 +214,12 @@ - section2 - level_1_server - level_1_workstation - - 2.2.5 -# 2.2.6 Ensure LDAP server is not installed + - 2.1.5 +# 2.1.6 Ensure LDAP server is not installed # The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for # NIS/YP. It is a service that provides a method for looking up information from a central # database. -- name: 2.2.6 Ensure LDAP server is not installed +- name: 2.1.6 Ensure LDAP server is not installed apt: name: slapd state: absent @@ -228,12 +228,12 @@ - section2 - level_1_server - level_1_workstation - - 2.2.6 -# 2.2.7 Ensure NFS is not installed + - 2.1.6 +# 2.1.7 Ensure NFS is not installed # The Network File System (NFS) is one of the first and most widely distributed file systems # in the UNIX environment. It provides the ability for systems to mount file systems of other # servers through the network. -- name: 2.2.7 Ensure NFS is not installed +- name: 2.1.7 Ensure NFS is not installed apt: name: rpcbind state: absent @@ -242,11 +242,11 @@ - section2 - level_1_server - level_1_workstation - - 2.2.7 -# 2.2.8 Ensure DNS Server is not installed + - 2.1.7 +# 2.1.8 Ensure DNS Server is not installed # The Domain Name System (DNS) is a hierarchical naming system that maps names to IP # addresses for computers, services and other resources connected to a network. -- name: 2.2.8 Ensure DNS Server is not installed +- name: 2.1.8 Ensure DNS Server is not installed apt: name: bind9 state: absent @@ -255,12 +255,12 @@ - section2 - level_1_server - level_1_workstation - - 2.2.8 -# 2.2.9 Ensure FTP Server is not installed + - 2.1.8 +# 2.1.9 Ensure FTP Server is not installed # The File Transfer Protocol (FTP) provides networked computers with the ability to transfer # files. # Note: Additional FTP servers also exist and should be audited. -- name: 2.2.9 Ensure FTP Server is not installed +- name: 2.1.9 Ensure FTP Server is not installed apt: name: vsftpd state: absent @@ -269,12 +269,12 @@ - section2 - level_1_server - level_1_workstation - - 2.2.9 -# 2.2.10 Ensure HTTP server is not installed + - 2.1.9 +# 2.1.10 Ensure HTTP server is not installed # HTTP or web servers provide the ability to host web site content. # Note: Several httpd servers exist and can use other service names. apache2 and nginx are # example services that provide an HTTP server. These and other services should also be audited -- name: 2.2.10 Ensure HTTP server is not installed +- name: 2.1.10 Ensure HTTP server is not installed apt: name: ["{{ web_server_name }}"] state: absent @@ -283,14 +283,14 @@ - section2 - level_1_server - level_1_workstation - - 2.2.10 -# 2.2.11 Ensure IMAP and POP3 server are not installed + - 2.1.10 +# 2.1.11 Ensure IMAP and POP3 server are not installed # dovecot-imapd and dovecot-pop3d are an open source IMAP and POP3 server for Linux # based systems. # Note: Several IMAP/POP3 servers exist and can use other service names. courier-imap and # cyrus-imap are example services that provide a mail server. These and other services should # also be audited. -- name: 2.2.11 Ensure IMAP and POP3 server are not installed +- name: 2.1.11 Ensure IMAP and POP3 server are not installed apt: name: ["dovecot-imapd", "dovecot-pop3d"] state: absent @@ -299,13 +299,13 @@ - section2 - level_1_server - level_1_workstation - - 2.2.11 -# 2.2.12 Ensure Samba is not installed + - 2.1.11 +# 2.1.12 Ensure Samba is not installed # The Samba daemon allows system administrators to configure their Linux systems to share # file systems and directories with Windows desktops. Samba will advertise the file systems # and directories via the Server Message Block (SMB) protocol. Windows desktop users will # be able to mount these directories and file systems as letter drives on their systems. -- name: 2.2.12 Ensure Samba is not installed +- name: 2.1.12 Ensure Samba is not installed apt: name: samba state: absent @@ -314,21 +314,21 @@ - section2 - level_1_server - level_1_workstation - - 2.2.12 -# 2.2.13 Ensure HTTP Proxy Server is not installed + - 2.1.12 +# 2.1.13 Ensure HTTP Proxy Server is not installed # Squid is a standard proxy server used in many distributions and environments. # Note: Several HTTP proxy servers exist. These and other services should be checked -- name: 2.2.13 Ensure HTTP Proxy Server is not installed +- name: 2.1.13 Ensure HTTP Proxy Server is not installed apt: - name: squid + name: "{{HTTPProxyServer}}" state: absent when: remove_HTTPProxyServer tags: - section2 - level_1_server - level_1_workstation - - 2.2.13 -# 2.2.14 Ensure SNMP Server is not installed + - 2.1.13 +# 2.1.14 Ensure SNMP Server is not installed # Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the # health and welfare of network equipment, computer equipment and devices like UPSs. # Net-SNMP is a suite of applications used to implement SNMPv1 (RFC 1157), SNMPv2 (RFCs @@ -338,7 +338,7 @@ # The Simple Network Management Protocol (SNMP) server is used to listen for SNMP # commands from an SNMP management system, execute the commands or collect the # information and then send results back to the requesting system. -- name: 2.2.14 Ensure SNMP Server is not installed +- name: 2.1.14 Ensure SNMP Server is not installed apt: name: snmpd state: absent @@ -347,19 +347,19 @@ - section2 - level_1_server - level_1_workstation - - 2.2.14 -# 2.2.15 Ensure mail transfer agent is configured for local-only mode + - 2.1.14 +# 2.1.15 Ensure mail transfer agent is configured for local-only mode # Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming # mail and transfer the messages to the appropriate user or mail server. If the system is not # intended to be a mail server, it is recommended that the MTA be configured to only process # local mail. -- name: 2.2.15 Ensure mail transfer agent is configured for local-only mode +- name: 2.1.15 Ensure mail transfer agent is configured for local-only mode block: - - name: 2.2.15 Ensure mail transfer agent is configured for local-only mode + - name: 2.1.15 Ensure mail transfer agent is configured for local-only mode stat: path: /etc/postfix/main.cf register: postfix - - name: 2.2.15 Ensure mail transfer agent is configured for local-only mode + - name: 2.1.15 Ensure mail transfer agent is configured for local-only mode lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" @@ -369,10 +369,10 @@ - section2 - level_1_server - level_1_workstation - - 2.2.15 -# 2.2.16 Ensure rsync service is not installed + - 2.1.15 +# 2.1.16 Ensure rsync service is not installed # The rsync service can be used to synchronize files between systems over network links. -- name: 2.2.16 Ensure rsync service is not installed +- name: 2.1.16 Ensure rsync service is not installed apt: name: rsync state: absent @@ -382,12 +382,12 @@ - section2 - level_1_server - level_1_workstation - - 2.2.16 -# 2.2.17 Ensure NIS Server is not installed + - 2.1.16 +# 2.1.17 Ensure NIS Server is not installed # The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server # directory service protocol for distributing system configuration files. The NIS server is a # collection of programs that allow for the distribution of configuration files. -- name: 2.2.17 Ensure NIS Server is not installed +- name: 2.1.17 Ensure NIS Server is not installed apt: name: nis state: absent @@ -396,14 +396,14 @@ - section2 - level_1_server - level_1_workstation - - 2.2.17 -# 2.3 Service Clients -# 2.3.1 Ensure NIS Client is not installed + - 2.1.17 +# 2.2 Service Clients +# 2.2.1 Ensure NIS Client is not installed # The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, # buffer overflows and has poor authentication for querying NIS maps. NIS generally has # been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is # recommended that the service be removed. -- name: 2.3.1 Ensure NIS Client is not installed +- name: 2.2.1 Ensure NIS Client is not installed apt: name: nis state: absent @@ -412,10 +412,10 @@ - section2 - level_1_server - level_1_workstation - - 2.3.1 -# 2.3.2 Ensure rsh client is not installed + - 2.2.1 +# 2.2.2 Ensure rsh client is not installed # The rsh-client package contains the client commands for the rsh services. -- name: 2.3.2 Ensure rsh client is not installed +- name: 2.2.2 Ensure rsh client is not installed apt: name: rsh-client state: absent @@ -424,12 +424,12 @@ - section2 - level_1_server - level_1_workstation - - 2.3.2 -# 2.3.3 Ensure talk client is not installed + - 2.2.2 +# 2.2.3 Ensure talk client is not installed # The talk software makes it possible for users to send and receive messages across systems # through a terminal session. The talk client, which allows initialization of talk sessions, is # installed by default. -- name: 2.3.3 Ensure talk client is not installed +- name: 2.2.3 Ensure talk client is not installed apt: name: talk state: absent @@ -438,15 +438,15 @@ - section2 - level_1_server - level_1_workstation - - 2.3.3 -# 2.3.4 Ensure telnet client is not installed + - 2.2.3 +# 2.2.4 Ensure telnet client is not installed # The telnet package contains the telnet client, which allows users to start connections to # other systems via the telnet protocol. # Many insecure service clients are used as troubleshooting tools and in testing # environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are # required it is advisable to remove the clients after use to prevent accidental or intentional # misuse. -- name: 2.3.4 Ensure telnet client is not installed +- name: 2.2.4 Ensure telnet client is not installed apt: name: telnet state: absent @@ -455,13 +455,13 @@ - section2 - level_1_server - level_1_workstation - - 2.3.4 -# 2.3.5 Ensure LDAP client is not installed + - 2.2.4 +# 2.2.5 Ensure LDAP client is not installed # The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for # NIS/YP. It is a service that provides a method for looking up information from a central database. # Removing the LDAP client will prevent or inhibit using LDAP for authentication in your # environment. -- name: 2.3.5 Ensure LDAP client is not installed +- name: 2.2.5 Ensure LDAP client is not installed apt: name: ldap-utils state: absent @@ -470,12 +470,12 @@ - section2 - level_1_server - level_1_workstation - - 2.3.5 -# 2.3.6 Ensure RPC is not installed + - 2.2.5 +# 2.2.6 Ensure RPC is not installed # Remote Procedure Call (RPC) is a method for creating low level client server applications # across different system architectures. It requires an RPC compliant client listening on a # network port. The supporting package is rpcbind." -- name: 2.3.6 Ensure RPC is not installed +- name: 2.2.6 Ensure RPC is not installed apt: name: rpcbind state: absent @@ -484,9 +484,9 @@ - section2 - level_1_server - level_1_workstation - - 2.3.6 -# 2.4 Ensure nonessential services are removed or masked -- name: 2.4 Ensure nonessential services are removed or masked + - 2.2.6 +# 2.3 Ensure nonessential services are removed or masked +- name: 2.3 Ensure nonessential services are removed or masked debug: msg: > Run the following command: @@ -508,3 +508,4 @@ - level_1_server - level_1_workstation - manual + - "2.3" diff --git a/tasks/section_3_Network_Configuration.yaml b/tasks/section_3_Network_Configuration.yaml index dc57962..fd4ce08 100644 --- a/tasks/section_3_Network_Configuration.yaml +++ b/tasks/section_3_Network_Configuration.yaml @@ -4,12 +4,23 @@ # 3.1.1 Disable IPv6 # If IPv6 or dual stack is not to be used, it is recommended that IPv6 be disabled to reduce the attack surface of the system. - name: 3.1.1 Disable IPv6 - replace: - dest: /etc/default/grub - regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)' - replace: '\1 ipv6.disable=1\2' - notify: - - grub restart + block: + - name: 3.1.1 Disable IPv6 + replace: + dest: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)' + replace: '\1 ipv6.disable=1\2' + - name: 3.1.1 Disable IPv6 + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_set: true + state: present + reload: true + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } + when: IPv6_is_enabled tags: - section3 - level_2_server @@ -74,12 +85,12 @@ value: "0" state: present reload: true - # when: IPv6_is_enabled + when: IPv6_is_enabled - name: 3.2.2 Ensure IP forwarding is disabled | IPV4 load" script: 3_2_2.sh - name: 3.2.2 Ensure IP forwarding is disabled | IPV6 load" script: 3_2_2_2.sh - # when: IPv6_is_enabled + when: IPv6_is_enabled tags: - section3 - level_1_server @@ -440,18 +451,14 @@ # configured software on a host. # Note: Only one firewall utility should be installed and configured. UFW is dependent on the # iptables package -- name: 3.5.1.1 Ensure Uncomplicated Firewall is installed | ufw +- name: 3.5.1.1 Ensure ufw is installed | ufw block: - - name: 3.5.1.1 Ensure Uncomplicated Firewall is installed | ufw + - name: 3.5.1.1 Ensure ufw is installed | ufw apt: name: ufw state: present install_recommends: false - - name: 3.5.1.1 Ensure Uncomplicated Firewall is installed | iptables - apt: - name: iptables - state: present - install_recommends: false + when: UFWEnable when: enable_firewall tags: - section3 @@ -483,6 +490,7 @@ name: ufw state: started enabled: true + when: UFWEnable - name: 3.5.1.3 Ensure ufw service is enabled | allow 22 before enable ufw: rule: "{{ item.rule }}" @@ -490,32 +498,32 @@ proto: "{{ item.proto }}" with_items: - { rule: "allow", port: "22", proto: "tcp" } - when: enable_firewall + when: UFWEnable tags: - section3 - level_1_server - level_1_workstation - 3.5.1.3 -# 3.5.1.4 Ensure loopback traffic is configured +# 3.5.1.4 Ensure ufw loopback traffic is configured # Configure the loopback interface to accept traffic. Configure all other interfaces to deny # traffic to the loopback network (127.0.0.0/8 for IPv4 and ::1/128 for IPv6). # Loopback traffic is generated between processes on machine and is typically critical to # operation of the system. The loopback interface is the only place that loopback network # (127.0.0.0/8 for IPv4 and ::1/128 for IPv6) traffic should be seen, all other interfaces # should ignore traffic on this network as an anti-spoofing measure. -- name: 3.5.1.4 Ensure loopback traffic is configured +- name: 3.5.1.4 Ensure ufw loopback traffic is configured block: - - name: 3.5.1.4 Ensure loopback traffic is configured | ingress lo allow in + - name: 3.5.1.4 Ensure ufw loopback traffic is configured | ingress lo allow in ufw: rule: allow direction: in interface: lo - - name: 3.5.1.4 Ensure loopback traffic is configured | ingress deny from lo network ipv4 + - name: 3.5.1.4 Ensure ufw loopback traffic is configured | ingress deny from lo network ipv4 ufw: rule: deny direction: in from: "127.0.0.0/8" - - name: 3.5.1.4 Ensure loopback traffic is configured | ingress deny from lo network ipv6 + - name: 3.5.1.4 Ensure ufw loopback traffic is configured | ingress deny from lo network ipv6 ufw: rule: deny direction: in @@ -527,14 +535,14 @@ - level_1_server - level_1_workstation - 3.5.1.4 -# 3.5.1.5 Ensure outbound connections are configured +# 3.5.1.5 Ensure ufw outbound connections are configured # Configure the firewall rules for new outbound connections. # Notes: # Changing firewall settings while connected over network can result in being locked out # of the system. # Unlike iptables, when a new outbound rule is added, ufw automatically takes care of # associated established connections, so no rules for the latter kind are required. -- name: 3.5.1.5 Ensure outbound connections are configured +- name: 3.5.1.5 Ensure ufw outbound connections are configured shell: | ufw allow out on all when: enable_firewall @@ -543,20 +551,20 @@ - level_1_server - level_1_workstation - 3.5.1.5 -# 3.5.1.6 Ensure firewall rules exist for all open ports +# 3.5.1.6 Ensure ufw firewall rules exist for all open ports # Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic. # Notes: # Changing firewall settings while connected over network can result in being locked out of the system # The remediation command opens up the port to traffic from all sources. Consult ufw # documentation and set any restrictions in compliance with site policy -- name: 3.5.1.6 Ensure firewall rules exist for all open ports +- name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports block: - - name: 3.5.1.6 Ensure firewall rules exist for all open ports | ssh + - name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports | ssh ufw: rule: allow proto: tcp port: "22" - - name: 3.5.1.6 Ensure firewall rules exist for all open ports | dns + - name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports | dns ufw: rule: allow proto: "{{ item }}" @@ -564,19 +572,19 @@ loop: - tcp - udp - - name: 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports + - name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports | defined ports ufw: rule: "{{ item.rule }}" port: "{{ item.port }}" proto: "{{ item.proto }}" with_items: "{{ firewall_list_of_ports_to_allow }}" - - name: 3.5.1.6 Ensure firewall rules exist for all open ports | keep_alived (1) + - name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports | keep_alived (1) ufw: # note: Ansible doesn't support "proto: vrrp" rule: allow from_ip: 224.0.0.18 when: firewall_allow_keep_alive - - name: 3.5.1.6 Ensure firewall rules exist for all open ports | keep_alived (2) + - name: 3.5.1.6 Ensure ufw firewall rules exist for all open ports | keep_alived (2) ufw: # note: Ansible doesn't support "proto: vrrp" rule: allow @@ -588,15 +596,15 @@ - level_1_server - level_1_workstation - 3.5.1.6 -# 3.5.1.7 Ensure default deny firewall policy +# 3.5.1.7 Ensure ufw default deny firewall policy # A default deny policy on connections ensures that any unconfigured network usage will be # rejected. # Note: Any port or protocol without a explicit allow before the default deny will be blocked # Any port and protocol not explicitly allowed will be blocked. The following rules should be # considered before applying the default deny. -- name: 3.5.1.7 Ensure default deny firewall policy +- name: 3.5.1.7 Ensure ufw default deny firewall policy block: - - name: 3.5.1.7 Ensure default deny firewall policy + - name: 3.5.1.7 Ensure ufw default deny firewall policy shell: | ufw default deny incoming ufw default allow outgoing @@ -614,23 +622,22 @@ # 3.5.2 Configure nftables # 3.5.2.1 Ensure nftables is installed # 3.5.2.2 Ensure Uncomplicated Firewall is not installed or disabled -# 3.5.2.3 Ensure iptables are flushed -# 3.5.2.4 Ensure a table exists -# 3.5.2.5 Ensure base chains exist -# 3.5.2.6 Ensure loopback traffic is configured -# 3.5.2.7 Ensure outbound and established connections are configured -# 3.5.2.8 Ensure default deny firewall policy +# 3.5.2.3 Ensure iptables are flushed with nftables +# 3.5.2.4 Ensure a nftables table exists +# 3.5.2.5 Ensure nftables base chains exist +# 3.5.2.6 Ensure nftables loopback traffic is configured +# 3.5.2.7 Ensure nftables outbound and established connections are configured +# 3.5.2.8 Ensure nftables default deny firewall policy # 3.5.2.9 Ensure nftables service is enabled # 3.5.2.10 Ensure nftables rules are permanent # 3.5.3 Configure iptables # 3.5.3.1.1 Ensure iptables packages are installed -# 3.5.3.1.2 Ensure nftables is not installed -# 3.5.3.1.3 Ensure Uncomplicated Firewall is not installed or disabled -# 3.5.3.2.1 Ensure default deny firewall policy -# 3.5.3.2.2 Ensure loopback traffic is configured -# 3.5.3.2.3 Ensure outbound and established connections are configured -# 3.5.3.2.4 Ensure firewall rules exist for all open ports -# 3.5.3.3.1 Ensure IPv6 default deny firewall policy -# 3.5.3.3.2 Ensure IPv6 loopback traffic is configured -# 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured -# 3.5.3.3.4 Ensure IPv6 firewall rules exist for all open ports +# 3.5.3.1.2 Ensure nftables is not installed with iptables +# 3.5.3.2.1 Ensure iptables loopback traffic is configured +# 3.5.3.2.2 Ensure iptables outbound and established connections are configured +# 3.5.3.2.3 Ensure iptables default deny firewall policy +# 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports +# 3.5.3.3.1 Ensure ip6tables loopback traffic is configured +# 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured +# 3.5.3.3.3 Ensure ip6tables default deny firewall policy +# 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports diff --git a/tasks/section_5_Access_Authentication_and_Authorization.yaml b/tasks/section_5_Access_Authentication_and_Authorization.yaml index 2098130..8f4bd6f 100644 --- a/tasks/section_5_Access_Authentication_and_Authorization.yaml +++ b/tasks/section_5_Access_Authentication_and_Authorization.yaml @@ -135,9 +135,31 @@ - level_1_server - level_1_workstation - 5.1.9 -# 5.2 Configure SSH Server -# 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured -- name: 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured + +# 5.2 Configure sudo +# sudo allows a permitted user to execute a command as the superuser or another user, +# as specified by the security policy. The invoking user's real (not effective) +# user ID is used to determine the user name with which to query the security policy +- name: 5.2.1 Ensure sudo is installed + apt: + name: sudo + state: present + install_recommends: false + tags: + - section5 + - level_1_server + - level_1_workstation + - 5.2.1 +# - name: 5.2.2 Ensure sudo commands use pty +# Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line +# Defaults use_pty +# - name: 5.2.3 Ensure sudo log file exists +# Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line: and add the following line: +# Defaults logfile="/var/log/sudo.log" + +# 5.3 Configure SSH Server +# 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured +- name: 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured file: dest: /etc/ssh/sshd_config state: file @@ -148,15 +170,15 @@ - section5 - level_1_server - level_1_workstation - - 5.2.1 -# 5.2.2 Ensure permissions on SSH private host key files are configured -- name: 5.2.2 Ensure permissions on SSH private host key files are configured + - 5.3.1 +# 5.3.2 Ensure permissions on SSH private host key files are configured +- name: 5.3.2 Ensure permissions on SSH private host key files are configured block: - - name: 5.2.2 Ensure permissions on SSH private host key files are configured | find keys + - name: 5.3.2 Ensure permissions on SSH private host key files are configured | find keys shell: | find /etc/ssh -xdev -type f -name 'ssh_host_*_key' && true || true register: private_keys - - name: 5.2.2 Ensure permissions on SSH private host key files are configured | fix permissions + - name: 5.3.2 Ensure permissions on SSH private host key files are configured | fix permissions file: dest: "{{ item }}" state: file @@ -169,15 +191,15 @@ - section5 - level_1_server - level_1_workstation - - 5.2.2 -# 5.2.3 Ensure permissions on SSH public host key files are configured -- name: 5.2.3 Ensure permissions on SSH public host key files are configured + - 5.3.2 +# 5.3.3 Ensure permissions on SSH public host key files are configured +- name: 5.3.3 Ensure permissions on SSH public host key files are configured block: - - name: 5.2.3 Ensure permissions on SSH public host key files are configured | find keys + - name: 5.3.3 Ensure permissions on SSH public host key files are configured | find keys shell: | find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' && true || true register: public_keys - - name: 5.2.3 Ensure permissions on SSH public host key files are configured | fix permissions + - name: 5.3.3 Ensure permissions on SSH public host key files are configured | fix permissions file: dest: "{{ item }}" state: file @@ -190,9 +212,50 @@ - section5 - level_1_server - level_1_workstation - - 5.2.3 -# 5.2.4 Ensure SSH LogLevel is appropriate -- name: 5.2.4 Ensure SSH LogLevel is appropriate + - 5.3.3 +# 5.3.4 Ensure SSH access is limited +# Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. +- name: 5.3.4 Ensure SSH access is limited + block: + - name: 5.3.4 Ensure SSH access is limited | allow users + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: "AllowUsers {{ allowed_users }}" + when: + - "{{ allowed_users|length > 0 }}" + - name: 5.3.4 Ensure SSH access is limited | allow groups + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: "AllowGroups {{ allowed_groups }}" + when: + - allowed_groups != "None" + - name: 5.3.4 Ensure SSH access is limited | denyusers + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: "DenyUsers {{ deny_users }}" + when: + - deny_users != "None" + - name: 5.3.4 Ensure SSH access is limited | denygroups + lineinfile: + state: present + dest: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: "DenyGroups {{ deny_groups }}" + when: + - deny_groups != "None" + tags: + - section5 + - level_1_server + - level_1_workstation + - 5.3.4 +# 5.3.5 Ensure SSH LogLevel is appropriate +- name: 5.3.5 Ensure SSH LogLevel is appropriate lineinfile: state: present dest: /etc/ssh/sshd_config @@ -202,9 +265,9 @@ - section5 - level_1_server - level_1_workstation - - 5.2.4 -# 5.2.5 Ensure SSH X11 forwarding is disabled -- name: 5.2.5 Ensure SSH X11 forwarding is disabled + - 5.3.5 +# 5.3.6 Ensure SSH X11 forwarding is disabled +- name: 5.3.6 Ensure SSH X11 forwarding is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -214,23 +277,23 @@ - section5 - level_1_server - level_1_workstation - - 5.2.5 -# 5.2.6 Ensure SSH MaxAuthTries is set to 4 or less + - 5.3.6 +# 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less # Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy. -- name: 5.2.6 Ensure SSH MaxAuthTries is set to 4 or less +- name: 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' - line: "MaxAuthTries 4" + line: "MaxAuthTries {{ max_auth_tries }}" tags: - section5 - level_1_server - level_1_workstation - - 5.2.6 -# 5.2.7 Ensure SSH IgnoreRhosts is enabled + - 5.3.7 +# 5.3.8 Ensure SSH IgnoreRhosts is enabled # Setting this parameter forces users to enter a password when authenticating with ssh. -- name: 5.2.7 Ensure SSH IgnoreRhosts is enabled +- name: 5.3.8 Ensure SSH IgnoreRhosts is enabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -240,10 +303,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.7 -# 5.2.8 Ensure SSH HostbasedAuthentication is disabled + - 5.3.8 +# 5.3.9 Ensure SSH HostbasedAuthentication is disabled # Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf ,disabling the ability to use .rhosts files in SSH provides an additional layer of protection. -- name: 5.2.8 Ensure SSH HostbasedAuthentication is disabled +- name: 5.3.9 Ensure SSH HostbasedAuthentication is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -253,10 +316,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.8 -# 5.2.9 Ensure SSH root login is disabled + - 5.3.9 +# 5.3.10 Ensure SSH root login is disabled # Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident -- name: 5.2.9 Ensure SSH root login is disabled +- name: 5.3.10 Ensure SSH root login is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -266,10 +329,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.9 -# 5.2.10 Ensure SSH PermitEmptyPasswords is disabled + - 5.3.10 +# 5.3.11 Ensure SSH PermitEmptyPasswords is disabled # Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system -- name: 5.2.10 Ensure SSH PermitEmptyPasswords is disabled +- name: 5.3.11 Ensure SSH PermitEmptyPasswords is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -279,10 +342,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.10 -# 5.2.11 Ensure SSH PermitUserEnvironment is disabled + - 5.3.11 +# 5.3.12 Ensure SSH PermitUserEnvironment is disabled # Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs) -- name: 5.2.11 Ensure SSH PermitUserEnvironment is disabled +- name: 5.3.12 Ensure SSH PermitUserEnvironment is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -292,23 +355,23 @@ - section5 - level_1_server - level_1_workstation - - 5.2.11 -# 5.2.12 Ensure only strong Ciphers are used + - 5.3.12 +# 5.3.13 Ensure only strong Ciphers are used # Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised -- name: 5.2.12 Ensure only strong Ciphers are used +- name: 5.3.13 Ensure only strong Ciphers are used lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "^Ciphers" - line: "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" + line: "Ciphers {{ ssh_ciphers }}" tags: - section5 - level_1_server - level_1_workstation - - 5.2.12 -# 5.2.13 Ensure only strong MAC algorithms are used + - 5.3.13 +# 5.3.14 Ensure only strong MAC algorithms are used # MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information -- name: 5.2.13 Ensure only strong MAC algorithms are used +- name: 5.3.14 Ensure only strong MAC algorithms are used lineinfile: state: present dest: /etc/ssh/sshd_config @@ -318,10 +381,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.13 -# 5.2.14 Ensure only strong Key Exchange algorithms are used + - 5.3.14 +# 5.3.15 Ensure only strong Key Exchange algorithms are used # Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used, or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks -- name: 5.2.14 Ensure only strong Key Exchange algorithms are used +- name: 5.3.15 Ensure only strong Key Exchange algorithms are used lineinfile: state: present dest: /etc/ssh/sshd_config @@ -331,18 +394,18 @@ - section5 - level_1_server - level_1_workstation - - 5.2.14 -# 5.2.15 Ensure SSH Idle Timeout Interval is configured + - 5.3.15 +# 5.3.16 Ensure SSH Idle Timeout Interval is configured # Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value reduces this risk. -- name: 5.2.15 Ensure SSH Idle Timeout Interval is configured +- name: 5.3.16 Ensure SSH Idle Timeout Interval is configured block: - - name: 5.2.15 Ensure SSH Idle Timeout Interval is configured | clientalive + - name: 5.3.16 Ensure SSH Idle Timeout Interval is configured | clientalive lineinfile: state: present dest: /etc/ssh/sshd_config regexp: "^ClientAliveInterval" line: "ClientAliveInterval 300" - - name: 5.2.15 Ensure SSH Idle Timeout Interval is configured | MaxAlive + - name: 5.3.16 Ensure SSH Idle Timeout Interval is configured | MaxAlive lineinfile: state: present dest: /etc/ssh/sshd_config @@ -352,10 +415,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.15 -# 5.2.16 Ensure SSH LoginGraceTime is set to one minute or less + - 5.3.16 +# 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less # Setting the LoginGraceTime parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. -- name: 5.2.16 Ensure SSH LoginGraceTime is set to one minute or less +- name: 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less lineinfile: state: present dest: /etc/ssh/sshd_config @@ -365,51 +428,11 @@ - section5 - level_1_server - level_1_workstation - - 5.2.16 -# 5.2.17 Ensure SSH access is limited -# Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system. -- name: 5.2.17 Ensure SSH access is limited - block: - - name: 5.2.17 Ensure SSH access is limited | allow users - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - line: "AllowUsers {{ allowed_users }}" - when: - - "{{ allowed_users|length > 0 }}" - - name: 5.2.17 Ensure SSH access is limited | allow groups - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowGroups" - line: "AllowGroups {{ allowed_groups }}" - when: - - allowed_groups != "None" - - name: 5.2.17 Ensure SSH access is limited | denyusers - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyUsers" - line: "DenyUsers {{ deny_users }}" - when: - - deny_users != "None" - - name: 5.2.17 Ensure SSH access is limited | denygroups - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyGroups" - line: "DenyGroups {{ deny_groups }}" - when: - - deny_groups != "None" - tags: - - section5 - - level_1_server - - level_1_workstation - - 5.2.17 -# 5.2.18 Ensure SSH warning banner is configured + - 5.3.17 + +# 5.3.18 Ensure SSH warning banner is configured # Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system. -- name: 5.2.18 Ensure SSH warning banner is configured +- name: 5.3.18 Ensure SSH warning banner is configured lineinfile: state: present dest: /etc/ssh/sshd_config @@ -419,10 +442,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.18 -# 5.2.19 Ensure SSH PAM is enabled + - 5.3.18 +# 5.3.19 Ensure SSH PAM is enabled # When usePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server -- name: 5.2.19 Ensure SSH PAM is enabled +- name: 5.3.19 Ensure SSH PAM is enabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -432,10 +455,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.19 -# 5.2.20 Ensure SSH AllowTcpForwarding is disabled + - 5.3.19 +# 5.3.20 Ensure SSH AllowTcpForwarding is disabled # Leaving port forwarding enabled can expose the organization to security risks and back- doors. -- name: 5.2.20 Ensure SSH AllowTcpForwarding is disabled +- name: 5.3.20 Ensure SSH AllowTcpForwarding is disabled lineinfile: state: present dest: /etc/ssh/sshd_config @@ -445,10 +468,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.20 -# 5.2.21 Ensure SSH MaxStartups is configured + - 5.3.20 +# 5.3.21 Ensure SSH MaxStartups is configured # To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon. -- name: "5.2.21 Ensure SSH MaxStartups is configured to {{ ssh_max_startups }}" +- name: "5.3.21 Ensure SSH MaxStartups is configured to {{ ssh_max_startups }}" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -458,10 +481,10 @@ - section5 - level_1_server - level_1_workstation - - 5.2.21 -# 5.2.22 Ensure SSH MaxSessions is limited + - 5.3.21 +# 5.3.22 Ensure SSH MaxSessions is limited # To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon. -- name: "5.2.22 Ensure SSH MaxSessions is limited to {{ ssh_max_sessions }}" +- name: "5.3.22 Ensure SSH MaxSessions is limited to {{ ssh_max_sessions }}" lineinfile: state: present dest: /etc/ssh/sshd_config @@ -471,18 +494,18 @@ - section5 - level_1_server - level_1_workstation - - 5.2.21 -# 5.3 Configure PAM -# 5.3.1 Ensure password creation requirements are configured + - 5.3.21 +# 5.4 Configure PAM +# 5.4.1 Ensure password creation requirements are configured # Strong passwords protect systems from being hacked through brute force methods. -- name: 5.3.1 Ensure password creation requirements are configured +- name: 5.4.1 Ensure password creation requirements are configured block: - - name: 5.3.1 Ensure password creation requirements are configured + - name: 5.4.1 Ensure password creation requirements are configured apt: name: libpam-pwquality state: present install_recommends: false - - name: 5.3.1 Ensure password creation requirements are configured + - name: 5.4.1 Ensure password creation requirements are configured lineinfile: state: present create: yes @@ -499,21 +522,21 @@ - section5 - level_1_server - level_1_workstation - - 5.3.1 -# 5.3.2 Ensure lockout for failed password attempts is configured + - 5.4.1 +# 5.4.2 Ensure lockout for failed password attempts is configured # Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. -- name: 5.3.2 Ensure lockout for failed password attempts is configured +- name: 5.4.2 Ensure lockout for failed password attempts is configured block: - - name: 5.3.2 Ensure lockout for failed password attempts is configured | common-auth + - name: 5.4.2 Ensure lockout for failed password attempts is configured | common-auth lineinfile: dest: /etc/pam.d/common-auth line: "auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" - - name: 5.3.2 Ensure lockout for failed password attempts is configured | pam_deny.so + - name: 5.4.2 Ensure lockout for failed password attempts is configured | pam_deny.so lineinfile: dest: /etc/pam.d/common-account regexp: '^account\srequisite' line: "account requisite pam_deny.so" - - name: 5.3.2 Ensure lockout for failed password attempts is configured | pam_tally2.so + - name: 5.4.2 Ensure lockout for failed password attempts is configured | pam_tally2.so lineinfile: dest: /etc/pam.d/common-account regexp: '^account\srequired' @@ -522,10 +545,10 @@ - section5 - level_1_server - level_1_workstation - - 5.3.2 -# 5.3.3 Ensure password reuse is limited + - 5.4.2 +# 5.4.3 Ensure password reuse is limited # Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems. -- name: 5.3.3 Ensure password reuse is limited +- name: 5.4.3 Ensure password reuse is limited lineinfile: dest: /etc/pam.d/common-password line: "password required pam_pwhistory.so remember=5" @@ -533,10 +556,10 @@ - section5 - level_1_server - level_1_workstation - - 5.3.3 -# 5.3.4 Ensure password hashing algorithm is SHA-512 + - 5.4.3 +# 5.4.4 Ensure password hashing algorithm is SHA-512 # The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. -- name: 5.3.4 Ensure password hashing algorithm is SHA-512 +- name: 5.4.4 Ensure password hashing algorithm is SHA-512 lineinfile: dest: /etc/pam.d/common-password regexp: '^password\s+\[success' @@ -545,52 +568,57 @@ - section5 - level_1_server - level_1_workstation - - 5.3.4 -# 5.4 User Accounts and Environment -# 5.4.1 Set Shadow Password Suite Parameters + - 5.4.4 +# 5.5 User Accounts and Environment +# 5.5.1 Set Shadow Password Suite Parameters # # # The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity. -- name: 5.4.1 Set Shadow Password Suite Parameters - lineinfile: - dest: /etc/pam.d/common-password - regexp: '^password\s+\[success' - line: "password [success=1 default=ignore] pam_unix.so sha512" - tags: - - section5 - - level_1_server - - level_1_workstation - - 5.4.1 -# 5.4.1.1 Ensure password expiration is 365 days or less -# 5.4.1.2 Ensure minimum days between password changes is configured -# 5.4.1.3 Ensure password expiration warning days is 7 or more -- name: "5.4.1.1 Ensure password expiration is 365 days or less\n - 5.4.1.2 Ensure minimum days between password changes is configured\n - 5.4.1.3 Ensure password expiration warning days is 7 or more" +# - name: 5.5.1 Set Shadow Password Suite Parameters +# lineinfile: +# dest: /etc/pam.d/common-password +# regexp: '^password\s+\[success' +# line: "password [success=1 default=ignore] pam_unix.so sha512" +# tags: +# - section5 +# - level_1_server +# - level_1_workstation +# - 5.5.1 +# 5.5.1.1 Ensure password expiration is 365 days or less +# 5.5.1.1 Ensure minimum days between password changes is configured +# 5.5.1.3 Ensure password expiration warning days is 7 or more +- name: "5.5.1.1 Ensure minimum days between password changes is configured\n + 5.5.1.2 Ensure password expiration is 365 days or less\n + 5.5.1.3 Ensure password expiration warning days is 7 or more" block: - - name: 5.4.1.1 Ensure password expiration is 365 days or less | PASS_MAX_DAYS + - name: 5.5.1.1 Ensure minimum days between password changes is configured | PASS_MIN_DAYS lineinfile: state: present dest: /etc/login.defs - regexp: "^PASS_MAX_DAYS" - line: "PASS_MAX_DAYS {{ pass_expire_in_days }}" - - name: 5.4.1.1 Ensure password expiration is 365 days or less | PASS_MIN_DAYS + regexp: "^PASS_MIN_DAYS" + line: "PASS_MIN_DAYS {{ pass_min_days }}" + + - name: 5.5.1.2 Ensure password expiration is 365 days or less | PASS_MAX_DAYS lineinfile: state: present dest: /etc/login.defs - regexp: "^PASS_MIN_DAYS" - line: "PASS_MIN_DAYS {{ pass_min_days }}" - - name: 5.4.1.1 Ensure password expiration is 365 days or less | PASS_WARN_AGE + regexp: "^PASS_MAX_DAYS" + line: "PASS_MAX_DAYS {{ pass_expire_in_days }}" + + - name: 5.5.1.3 Ensure password expiration warning days is 7 or more | PASS_WARN_AGE lineinfile: state: present dest: /etc/login.defs regexp: "^PASS_WARN_AGE" line: "PASS_WARN_AGE {{ pass_warn_age }}" - - name: 5.4.1.1 Ensure password expiration is 365 days or less | chage + + - name: 5.5.1.2 Ensure password expiration is 365 days or less | chage command: "chage --maxdays {{ pass_expire_in_days }} {{ item }}" with_items: "{{ list_of_os_users }}" - - name: 5.4.1.1 Ensure password expiration is 365 days or less | chage --mindays + + - name: 5.5.1.1 Ensure minimum days between password changes is configured | chage --mindays command: "chage --mindays {{ pass_min_days }} {{ item }}" with_items: "{{ list_of_os_users }}" - - name: 5.4.1.1 Ensure password expiration is 365 days or less | chage --warndays + + - name: 5.5.1.3 Ensure password expiration warning days is 7 or more | chage --warndays command: "chage --warndays {{ pass_warn_age }} {{ item }}" with_items: "{{ list_of_os_users }}" ignore_errors: yes @@ -598,15 +626,15 @@ - section5 - level_1_server - level_1_workstation - - 5.4.1.1 - - 5.4.1.2 - - 5.4.1.3 -# 5.4.1.4 Ensure inactive password lock is 30 days or less -- name: 5.4.1.4 Ensure inactive password lock is 30 days or less + - 5.5.1.1 + - 5.5.1.2 + - 5.5.1.3 +# 5.5.1.4 Ensure inactive password lock is 30 days or less +- name: 5.5.1.4 Ensure inactive password lock is 30 days or less block: - - name: 5.4.1.4 Ensure inactive password lock is 30 days or less | useradd + - name: 5.5.1.4 Ensure inactive password lock is 30 days or less | useradd command: "useradd -D -f {{ account_inactive }}" - - name: 5.4.1.4 Ensure inactive password lock is 30 days or less | useradd + - name: 5.5.1.4 Ensure inactive password lock is 30 days or less | useradd command: "chage --inactive {{ account_inactive }} {{ item }}" with_items: "{{ list_of_os_users }}" ignore_errors: yes @@ -614,12 +642,12 @@ - section5 - level_1_server - level_1_workstation - - 5.4.1.4 -# 5.4.1.5 Ensure all users last password change date is in the past + - 5.5.1.4 +# 5.5.1.5 Ensure all users last password change date is in the past # Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. -- name: 5.4.1.5 Ensure all users last password change date is in the past +- name: 5.5.1.5 Ensure all users last password change date is in the past block: - - name: 5.4.1.5 Ensure all users last password change date is in the past | get list + - name: 5.5.1.5 Ensure all users last password change date is in the past | get list shell: | awk -F: '{print $1}' /etc/shadow | while read -r user do @@ -628,20 +656,20 @@ fi done register: output_5_4_1_5 - - name: 5.4.1.5 Ensure all users last password change date is in the past | save list + - name: 5.5.1.5 Ensure all users last password change date is in the past | save list copy: - dest: "{{ outputfiles }}/5.4.1.5" + dest: "{{ outputfiles }}/5.5.1.5" content: "{{ output_5_4_1_5.stdout_lines }}" tags: - section5 - level_1_server - level_1_workstation - - 5.4.1.5 + - 5.5.1.5 - manual -# 5.4.2 Ensure system accounts are secured -- name: 5.4.2 Ensure system accounts are secured +# 5.5.2 Ensure system accounts are secured +- name: 5.5.2 Ensure system accounts are secured block: - - name: 5.4.2 Ensure system accounts are secured | set all system accounts to a non login shell + - name: 5.5.2 Ensure system accounts are secured | set all system accounts to a non login shell shell: | for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ]; then @@ -656,47 +684,47 @@ - section5 - level_1_server - level_1_workstation - - 5.4.2 -# 5.4.3 Ensure default group for the root account is GID 0 + - 5.5.2 +# 5.5.3 Ensure default group for the root account is GID 0 # Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users. -- name: 5.4.3 Ensure default group for the root account is GID 0 +- name: 5.5.3 Ensure default group for the root account is GID 0 command: usermod -g 0 root tags: - section5 - level_1_server - level_1_workstation - - 5.4.3 -# 5.4.4 Ensure default user umask is 027 or more restrictive + - 5.5.3 +# 5.5.4 Ensure default user umask is 027 or more restrictive # # # # Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. -- name: 5.4.4 Ensure default user umask is 027 or more restrictive +- name: 5.5.4 Ensure default user umask is 027 or more restrictive block: - - name: 5.4.4 Ensure default user umask is 027 or more restrictive | /etc/login.defs + - name: 5.5.4 Ensure default user umask is 027 or more restrictive | /etc/login.defs lineinfile: state: present dest: /etc/login.defs regexp: '^UMASK\s' line: "UMASK 027" mode: "0666" - - name: 5.4.4 Ensure default user umask is 027 or more restrictive | /etc/pam.d/common-session + - name: 5.5.4 Ensure default user umask is 027 or more restrictive | /etc/pam.d/common-session lineinfile: dest: /etc/pam.d/common-session regexp: '^session optional\s+' line: "session optional pam_umask.so" - - name: 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc + - name: 5.5.4 Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc lineinfile: state: present dest: /etc/bash.bashrc create: true regexp: "^umask " line: "umask 027" - - name: 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/profile + - name: 5.5.4 Ensure default user umask is 027 or more restrictive - /etc/profile lineinfile: state: present dest: /etc/profile create: true regexp: "^umask " line: "umask 027" - - name: 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/profile.d/umask.sh + - name: 5.5.4 Ensure default user umask is 027 or more restrictive - /etc/profile.d/umask.sh lineinfile: state: present dest: /etc/profile.d/umask.sh @@ -707,26 +735,26 @@ - section5 - level_1_server - level_1_workstation - - 5.4.4 -# 5.4.5 Ensure default user shell timeout is 900 seconds or less + - 5.5.4 +# 5.5.5 Ensure default user shell timeout is 900 seconds or less # # Setting a timeout value reduces the window of opportunity for unauthorized user access to another user's shell session that has been left unattended. It also ends the inactive session and releases the resources associated with that session -- name: 5.4.5 Ensure default user shell timeout is 900 seconds or less +- name: 5.5.5 Ensure default user shell timeout is 900 seconds or less block: - - name: 5.4.5 Ensure default user shell timeout is 900 seconds or less | /etc/bash.bashrc + - name: 5.5.5 Ensure default user shell timeout is 900 seconds or less | /etc/bash.bashrc lineinfile: state: present dest: /etc/bash.bashrc create: true regexp: "^TMOUT=" line: "TMOUT={{ shell_timeout_sec }} ; export TMOUT" - - name: 5.4.5 Ensure default user shell timeout is 900 seconds or less | /etc/profile + - name: 5.5.5 Ensure default user shell timeout is 900 seconds or less | /etc/profile lineinfile: state: present dest: /etc/profile create: true regexp: "^TMOUT=" line: "TMOUT={{ shell_timeout_sec }} ; export TMOUT" - - name: 5.4.5 Ensure default user shell timeout is 900 seconds or less | /etc/profile.d/timeout.sh + - name: 5.5.5 Ensure default user shell timeout is 900 seconds or less | /etc/profile.d/timeout.sh lineinfile: state: present dest: /etc/profile.d/tmout.sh @@ -737,38 +765,38 @@ - section5 - level_1_server - level_1_workstation - - 5.4.5 -# 5.5 Ensure root login is restricted to system console + - 5.5.5 +# 5.6 Ensure root login is restricted to system console # Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles have not been defined. -- name: 5.5 Ensure root login is restricted to system console +- name: 5.6 Ensure root login is restricted to system console block: - - name: 5.5 Ensure root login is restricted to system console | check file + - name: 5.6 Ensure root login is restricted to system console | check file stat: path: /etc/securetty register: securetty - - name: 5.5 Ensure root login is restricted to system console | save output + - name: 5.6 Ensure root login is restricted to system console | save output copy: - dest: "{{ outputfiles }}/5.5" + dest: "{{ outputfiles }}/5.6" content: "{{ securetty }}" ignore_errors: yes tags: - section5 - level_1_server - level_1_workstation - - _5.5 + - _5.6 - manual -# 5.6 Ensure access to the su command is restricted +# 5.7 Ensure access to the su command is restricted # Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program. -- name: 5.6 Ensure access to the su command is restricted +- name: 5.7 Ensure access to the su command is restricted block: - - name: 5.6 Ensure access to the su command is restricted | create su-group-access + - name: 5.7 Ensure access to the su command is restricted | create su-group-access template: src: files/templates/etc/su-group-access.j2 dest: "/etc/security/su-group-access" owner: root group: root mode: 0644 - - name: 5.6 Ensure access to the su command is restricted | create pam-d-su + - name: 5.7 Ensure access to the su command is restricted | create pam-d-su template: src: files/templates/etc/pam-d-su.j2 dest: "/etc/pam.d/su" @@ -779,4 +807,4 @@ - section5 - level_1_server - level_1_workstation - - "5.6" \ No newline at end of file + - "5.7" diff --git a/tasks/section_6_System_Maintenance.yaml b/tasks/section_6_System_Maintenance.yaml index a150f26..031faa9 100644 --- a/tasks/section_6_System_Maintenance.yaml +++ b/tasks/section_6_System_Maintenance.yaml @@ -30,34 +30,34 @@ - level_1_server - level_1_workstation - 6.1.2 -# 6.1.3 Ensure permissions on /etc/gshadow- are configured -- name: 6.1.3 Ensure permissions on /etc/gshadow- are configured +# 6.1.3 Ensure permissions on /etc/passwd- are configured +- name: 6.1.3 Ensure permissions on /etc/passwd- are configured file: - dest: /etc/gshadow- + dest: /etc/passwd- owner: root - group: shadow - mode: 0640 + group: root + mode: 0600 tags: - section6 - level_1_server - level_1_workstation - 6.1.3 -# 6.1.4 Ensure permissions on /etc/shadow are configured -- name: 6.1.4 Ensure permissions on /etc/shadow are configured +# 6.1.4 Ensure permissions on /etc/group are configured +- name: 6.1.4 Ensure permissions on /etc/group are configured file: - dest: /etc/shadow + dest: /etc/group owner: root - group: shadow - mode: 0640 + group: root + mode: 0644 tags: - section6 - level_1_server - level_1_workstation - 6.1.4 -# 6.1.5 Ensure permissions on /etc/group are configured -- name: 6.1.5 Ensure permissions on /etc/group are configured +# 6.1.5 Ensure permissions on /etc/group- are configured +- name: 6.1.5 Ensure permissions on /etc/group- are configured file: - dest: /etc/group + dest: /etc/group- owner: root group: root mode: 0644 @@ -66,18 +66,20 @@ - level_1_server - level_1_workstation - 6.1.5 -# 6.1.6 Ensure permissions on /etc/passwd- are configured -- name: 6.1.6 Ensure permissions on /etc/passwd- are configured + +# 6.1.6 Ensure permissions on /etc/shadow are configured +- name: 6.1.6 Ensure permissions on /etc/shadow are configured file: - dest: /etc/passwd- + dest: /etc/shadow owner: root - group: root - mode: 0600 + group: shadow + mode: 0640 tags: - section6 - level_1_server - level_1_workstation - 6.1.6 + # 6.1.7 Ensure permissions on /etc/shadow- are configured - name: 6.1.7 Ensure permissions on /etc/shadow- are configured file: @@ -90,22 +92,24 @@ - level_1_server - level_1_workstation - 6.1.7 -# 6.1.8 Ensure permissions on /etc/group- are configured -- name: 6.1.8 Ensure permissions on /etc/group- are configured + +# 6.1.8 Ensure permissions on /etc/gshadow are configured +- name: 6.1.8 Ensure permissions on /etc/gshadow are configured file: - dest: /etc/group- + dest: /etc/gshadow owner: root - group: root - mode: 0644 + group: shadow + mode: 0640 tags: - section6 - level_1_server - level_1_workstation - 6.1.8 -# 6.1.9 Ensure permissions on /etc/gshadow are configured -- name: 6.1.9 Ensure permissions on /etc/gshadow are configured + +# 6.1.9 Ensure permissions on /etc/gshadow- are configured +- name: 6.1.9 Ensure permissions on /etc/gshadow- are configured file: - dest: /etc/gshadow + dest: /etc/gshadow- owner: root group: shadow mode: 0640 @@ -114,6 +118,7 @@ - level_1_server - level_1_workstation - 6.1.9 + # 6.1.10 Ensure no world writable files exist - name: 6.1.10 Ensure no world writable files exist block: @@ -220,69 +225,66 @@ - 6.1.14 - manual # 6.2 User and Group Settings -# 6.2.1 Ensure password fields are not empty -- name: 6.2.1 Ensure password fields are not empty +# 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords +# Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off. +- name: 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords + shell: | + sed -e 's/^\([a-zA-Z0-9_]*\):[^:]*:/\1:x:/' -i /etc/passwd + tags: + - section6 + - level_1_server + - level_1_workstation + - 6.2.1 + - manual +# 6.2.2 Ensure password fields are not empty +- name: 6.2.2 Ensure password fields are not empty block: - - name: 6.2.1 Ensure password fields are not empty | list + - name: 6.2.2 Ensure password fields are not empty | list shell: | awk -F: '($2 == "" ) { print $1 }' /etc/shadow register: output_6_2_1 - - name: 6.2.1 Ensure password fields are not empty | Save output + - name: 6.2.2 Ensure password fields are not empty | Save output copy: - dest: "{{ outputfiles }}/6.2.1" + dest: "{{ outputfiles }}/6.2.2" content: "{{ output_6_2_1.stdout_lines }}" - - name: 6.2.1 Ensure password fields are not empty | Lock account + - name: 6.2.2 Ensure password fields are not empty | Lock account user: name: "{{ item }}" password_lock: yes with_items: "{{ output_6_2_1.stdout_lines }}" when: - "{{ output_6_2_1.stdout_lines }}" - tags: - - section6 - - level_1_server - - level_1_workstation - - 6.2.1 - - manual -# 6.2.2 Ensure root is the only UID 0 account -- name: 6.2.2 Ensure root is the only UID 0 account - block: - - name: 6.2.2 Ensure root is the only UID 0 account| list - shell: | - awk -F: '($3 == 0) { print $1 }' /etc/passwd | grep -v root && true || true - register: output_6_2_2 - - name: 6.2.2 Ensure root is the only UID 0 account | Save output - copy: - dest: "{{ outputfiles }}/6.2.2" - content: "{{ output_6_2_2.stdout_lines }}" - # - name: 6.2.2 Ensure root is the only UID 0 account | Lock account - # user: - # name: "{{ item }}" - # uid: 1992 - # force: yes - # with_items: "{{ output_6_2_2.stdout_lines }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.2 - manual -# 6.2.3 Ensure root PATH Integrity -- name: 6.2.3 Ensure root PATH Integrity + + +# 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group +- name: 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group block: - - name: 6.2.3 Ensure root PATH Integrity | run - script: 6_2_3.sh - register: output_6_2_3 - - name: 6.2.3 Ensure root PATH Integrity | save output + - name: 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group | list + shell: | + for i in $(cut -s -d: -f4 /etc/passwd | sort -u); do + grep -q -P "^.*?:[^:]*:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done + register: output_6_2_12 + - name: 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group | save output copy: dest: "{{ outputfiles }}/6.2.3" - content: "{{ output_6_2_3 }}" + content: "{{ output_6_2_12 }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.3 - manual + # 6.2.4 Ensure all users' home directories exist - name: 6.2.4 Ensure all users' home directories exist block: @@ -311,52 +313,54 @@ - level_1_server - level_1_workstation - 6.2.4 -# 6.2.5 Ensure users' home directories permissions are 750 or more restrictive -- name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive - block: - - name: 6.2.5 Ensure users home directories permissions are 750 or more restrictive - list - script: 6_2_5.sh - register: output_6_2_5 - - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive - save - copy: - dest: "{{ outputfiles }}/6.2.5" - content: "{{ output_6_2_5.stdout_lines }}" - - name: 6.2.5 Ensure users home directories permissions are 750 or more restrictive - fix - file: - name: "{{ item }}" - mode: "g-w,o-rwx" - with_items: "{{ output_6_2_5.stdout_lines }}" - when: "{{ output_6_2_5.stdout_lines|length > 0 }}" - tags: - - section6 - - level_1_server - - level_1_workstation - - 6.2.5 -# 6.2.6 Ensure users own their home directories -- name: 6.2.6 Ensure users own their home directories +# 6.2.5 Ensure users own their home directories +- name: 6.2.5 Ensure users own their home directories block: - - name: 6.2.6 Ensure users own their home directories | list + - name: 6.2.5 Ensure users own their home directories | list script: 6_2_6.sh register: output_6_2_6 - - name: 6.2.6 Ensure users own their home directories | Var + - name: 6.2.5 Ensure users own their home directories | Var set_fact: output_6_2_6_list: "{{ output_6_2_6.stdout_lines | list }}" - - name: 6.2.6 Ensure users own their home directories | save output + - name: 6.2.5 Ensure users own their home directories | save output copy: - dest: "{{ outputfiles }}/6.2.6" + dest: "{{ outputfiles }}/6.2.5" content: "{{ output_6_2_6_list }}" - - name: 6.2.6 Ensure users own their home directories | fix + - name: 6.2.5 Ensure users own their home directories | fix file: path: "{{ item.split(',')[0] }}" group: "{{ item.split(',')[1] }}" owner: "{{ item.split(',')[1] }}" recurse: yes with_items: "{{ output_6_2_6_list }}" + tags: + - section6 + - level_1_server + - level_1_workstation + - 6.2.5 + +# 6.2.6 Ensure users' home directories permissions are 750 or more restrictive +- name: 6.2.6 Ensure users' home directories permissions are 750 or more restrictive + block: + - name: 6.2.6 Ensure users home directories permissions are 750 or more restrictive - list + script: 6_2_5.sh + register: output_6_2_5 + - name: 6.2.6 Ensure users' home directories permissions are 750 or more restrictive - print output + copy: + dest: "{{ outputfiles }}/6.2.6" + content: "{{ output_6_2_5.stdout_lines }}" + - name: 6.2.6 Ensure users home directories permissions are 750 or more restrictive - fix + file: + name: "{{ item }}" + mode: "g-w,o-rwx" + with_items: "{{ output_6_2_5.stdout_lines }}" + when: "{{ output_6_2_5.stdout_lines|length > 0 }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.6 + # 6.2.7 Ensure users' dot files are not group or world writable - name: 6.2.7 Ensure users dot files are not group or world writable block: @@ -382,92 +386,99 @@ - level_1_workstation - 6.2.7 - manual -# 6.2.8 Ensure no users have .forward files -- name: 6.2.8 Ensure no users have .forward files + +# 6.2.8 Ensure no users have .netrc files +- name: 6.2.8 Ensure no users have .netrc files block: - - name: 6.2.8 Ensure no users have .forward files | list - script: 6_2_8.sh - register: output_6_2_8 - - name: 6.2.8 Ensure no users have .forward files | save output + - name: 6.2.8 Ensure no users have .netrc files | list + script: 6_2_9.sh + register: output_6_2_9 + - name: 6.2.8 Ensure no users have .netrc files | save output copy: dest: "{{ outputfiles }}/6.2.8" - content: "{{ output_6_2_8.stdout }}" + content: "{{ output_6_2_9.stdout }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.8 - manual -# 6.2.9 Ensure no users have .netrc files -- name: 6.2.9 Ensure no users have .netrc files + +# 6.2.9 Ensure no users have .forward files +- name: 6.2.9 Ensure no users have .forward files block: - - name: 6.2.9 Ensure no users have .netrc files | list - script: 6_2_9.sh - register: output_6_2_9 - - name: 6.2.9 Ensure no users have .netrc files | save output + - name: 6.2.9 Ensure no users have .forward files | list + script: 6_2_8.sh + register: output_6_2_8 + - name: 6.2.9 Ensure no users have .forward files | save output copy: dest: "{{ outputfiles }}/6.2.9" - content: "{{ output_6_2_9.stdout }}" + content: "{{ output_6_2_8.stdout }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.9 - manual -# 6.2.10 Ensure users' .netrc Files are not group or world accessible -- name: 6.2.10 Ensure users' .netrc Files are not group or world accessible +# 6.2.10 Ensure no users have .rhosts files +- name: 6.2.10 Ensure no users have .rhosts files block: - - name: 6.2.10 Ensure users' .netrc Files are not group or world accessible | list - script: files/6_2_10.sh - register: output_6_2_10 - - name: 6.2.10 Ensure users' .netrc Files are not group or world accessible | save output + - name: 6.2.10 Ensure no users have .rhosts files | list + script: files/6_2_11.sh + register: output_6_2_11 + - name: 6.2.10 Ensure no users have .rhosts files | save output copy: dest: "{{ outputfiles }}/6.2.10" - content: "{{ output_6_2_10.stdout }}" + content: "{{ output_6_2_11.stdout }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.10 - manual -# 6.2.11 Ensure no users have .rhosts files -- name: 6.2.11 Ensure no users have .rhosts files + +# 6.2.11 Ensure root is the only UID 0 account +- name: 6.2.11 Ensure root is the only UID 0 account block: - - name: 6.2.11 Ensure no users have .rhosts files | list - script: files/6_2_11.sh - register: output_6_2_11 - - name: 6.2.11 Ensure no users have .rhosts files | save output + - name: 6.2.11 Ensure root is the only UID 0 account| list + shell: | + awk -F: '($3 == 0) { print $1 }' /etc/passwd | grep -v root && true || true + register: output_6_2_2 + - name: 6.2.11 Ensure root is the only UID 0 account | Save output copy: dest: "{{ outputfiles }}/6.2.11" - content: "{{ output_6_2_11.stdout }}" + content: "{{ output_6_2_2.stdout_lines }}" + # - name: 6.2.11 Ensure root is the only UID 0 account | Lock account + # user: + # name: "{{ item }}" + # uid: 1992 + # force: yes + # with_items: "{{ output_6_2_2.stdout_lines }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.11 - manual -# 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group -- name: 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group + +# 6.2.12 Ensure root PATH Integrity +- name: 6.2.12 Ensure root PATH Integrity block: - - name: 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group | list - shell: | - for i in $(cut -s -d: -f4 /etc/passwd | sort -u); do - grep -q -P "^.*?:[^:]*:$i:" /etc/group - if [ $? -ne 0 ]; then - echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" - fi - done - register: output_6_2_12 - - name: 6.2.12 Ensure all groups in /etc/passwd exist in /etc/group | save output + - name: 6.2.12 Ensure root PATH Integrity | run + script: 6_2_3.sh + register: output_6_2_3 + - name: 6.2.12 Ensure root PATH Integrity | save output copy: dest: "{{ outputfiles }}/6.2.12" - content: "{{ output_6_2_12 }}" + content: "{{ output_6_2_3 }}" tags: - section6 - level_1_server - level_1_workstation - 6.2.12 - manual + + # 6.2.13 Ensure no duplicate UIDs exist - name: 6.2.13 Ensure no duplicate UIDs exist block: @@ -492,6 +503,8 @@ - level_1_workstation - 6.2.13 - manual + + # 6.2.14 Ensure no duplicate GIDs exist - name: 6.2.14 Ensure no duplicate GIDs exist block: @@ -511,6 +524,8 @@ - level_1_workstation - 6.2.14 - manual + + # 6.2.15 Ensure no duplicate user names exist - name: 6.2.15 Ensure no duplicate user names exist block: @@ -530,6 +545,7 @@ - level_1_workstation - 6.2.15 - manual + # 6.2.16 Ensure no duplicate group names exist - name: 6.2.16 Ensure no duplicate group names exist block: @@ -549,6 +565,7 @@ - level_1_workstation - 6.2.16 - manual + # 6.2.17 Ensure shadow group is empty - name: 6.2.17 Ensure shadow group is empty block: